[hbfriends]

Can anyone explain to me what is chmod to 777 and how can i do it? PLZ!!!!!!!!!!!!!!!!!!

[Adequate]

You usually CHMOD a file in your FTP to write accesses etc... Once you select a file (or files), right click and there should be a selection of choices. If CHMOD is not one of them.. it should be under properties. Once you have located CHMOD then there should be an input box and that is where you type your CHMOD numbers.

[Eclipse]

To add it is file permitions whether or not the owner, group, or other can write execute or read from a file. Here is a chmod calculator if you are ftp'ing via telnet http://wsabstract.com/script/script2/chmodcal.shtml

[infinitylimit]

in php chmod (short for change mode) is a function see www.php.net/chmod

777 means give everyone read,write, execute privleges for a given file (not advisable).

There are several ways (octal,'rwx',decimal) to define permission you should read the link.

[mikaelf]

when you're working with your shell, simply write:
shell >> chmod (-f) 777 file_name #to change single file permission
shell >> chmod -R 777 dir_name #to change single directory permission
shell >> chmod -Rf 777 dir_name #to change single directory and all its content recursively

[phanbox]

Quote:

Originally Posted by infinitylimit

in php chmod (short for change mode) is a function see www.php.net/chmod

777 means give everyone read,write, execute privleges for a given file (not advisable).

There are several ways (octal,'rwx',decimal) to define permission you should read the link.

Hi,

I have a security question about world-writable directories. You say it is not advisable. I'm wondering how so. Is it because it is a vulnerability in itself or is it a vulnerability in conjunction with a badly administrated server? What are some of the ways that a world-writable directory can be written to by someone who is not a user of the server?

[moronovich]

Quote:

What are some of the ways that a world-writable directory can be written to by someone who is not a user of the server?

This is possible if you allow nobody access to your server using TCP/IP (especially FTP and SSH?). If you have good security awareness, this condition should never happen since whole directories are protected with strict rules which makes access to files and directories be more limited. To solve this issue, I usually firewall connection to my server and limit access to certain ports only (if it possible, to only open port 80 for world access is the most acceptable). There are also several tweaks you can do. Google is your friend for this..

[Eclipse]

here is the code to chmod calulator which i tied into a file browser but you can just enter the path to the file then chmod it and your done. It's VERY long so jsut copy and paste it. Filename would be like: ../index.php or ../images/splash/log.txt
Ok here ya go:

PHP Code:

if(!isset($_GET["name"]) AND !isset($_GET["t_owner"]) AND !isset($_GET["t_group"]) AND !isset($_GET["t_other"]) AND !isset($_GET["sure"])){

                    echo("<table BORDER=\"1\" CELLSPACING=\"2\" CELLPADDING=\"3\">");

                    echo("<tr><td align=\"left\" colspan=\"3\"><a href=\"" . $c_url2 .  "login.php\"><font color=\"#666666\"><i>Admin Panel / </a></font>CHMOD File</i></td></tr>");

                    echo('<tr><td><form action="' . $c_self . '" method="get"><input type="hidden" name="action" value="page_chmod">Name:  <input type="text" name="name"><br><input type="submit" value="CHMOD File"></tr></td>');

                }

                elseif(isset($_GET["name"]) AND !isset($_GET["t_owner"]) AND !isset($_GET["t_group"]) AND !isset($_GET["t_other"]) AND !isset($_GET["sure"])){

                    $name = $_GET["name"];

                    echo("<table BORDER=\"1\" CELLSPACING=\"2\" CELLPADDING=\"3\">");

                    echo("<tr><td align=\"left\" colspan=\"4\"><a href=\"" . $c_url2 .  "login.php\"><font color=\"#666666\"><i>Admin Panel / </a></font><a href=\"" . $c_self . "?action=page_chmod\">CHMOD File /</a></i> <b>" . $name . "</b></a></td></tr>");

                    if(!file_exists($name)){

                        echo("Please enter a valid file...");

                        echo('<form action="' . $c_self . '" method="get"><input type="hidden" name="action" value="page_chmod">Name:  <input type="text" name="name"><br><input type="submit" value="CHMOD File">');

                    }

                    elseif(file_exists($name)){

                        echo('<tr><td><script language="JavaScript">

// Chmod calculator. This is useful when setting permissions on cgi files using FTP

// Copyright Peter Crouch 2000. All rights reserved.

// Visit [url]http://www.perlbay.com[/url] for other thing written by me

//Visit [url]http://javascriptkit.com[/url] for this script and more



function calculator(user, number){

// Owner

if (user == "owner" && number == "4"){var box = eval("document.chmod.owner4")}

if (user == "owner" && number == "2"){var box = eval("document.chmod.owner2")}

if (user == "owner" && number == "1"){var box = eval("document.chmod.owner1")}

// Group

if (user == "group" && number == "4"){var box = eval("document.chmod.group4")}

if (user == "group" && number == "2"){var box = eval("document.chmod.group2")}

if (user == "group" && number == "1"){var box = eval("document.chmod.group1")}

// Other

if (user == "other" && number == "4"){var box = eval("document.chmod.other4")}

if (user == "other" && number == "2"){var box = eval("document.chmod.other2")}

if (user == "other" && number == "1"){var box = eval("document.chmod.other1")}

if (box.checked == true){

if (user == "owner"){

document.chmod.h_owner.value += ("+number")

var a= (document.chmod.h_owner.value)

var b= eval(a)

document.chmod.h_owner.value=b

document.chmod.t_owner.value=b

}if (user == "group"){

document.chmod.h_group.value += ("+number")

var a= (document.chmod.h_group.value)

var b= eval(a)

document.chmod.h_group.value=b

document.chmod.t_group.value=b

}if (user == "other"){

document.chmod.h_other.value += ("+number")

var a= (document.chmod.h_other.value)

var b= eval(a)

document.chmod.h_other.value=b

document.chmod.t_other.value=b

}

}

if (box.checked == false){

if (user == "owner"){

if (document.chmod.h_owner.value == ""){

document.chmod.t_owner.value=""

}else {

var a=(document.chmod.h_owner.value);

b=a-(number);

c=eval(b);

document.chmod.h_owner.value=c

document.chmod.t_owner.value=c

}}if (user == "group"){

if (document.chmod.h_group.value == ""){

document.chmod.t_group.value=""

}else {

var a=(document.chmod.h_group.value);

b=a-(number);

c=eval(b);

document.chmod.h_group.value=c

document.chmod.t_group.value=c

}}if (user == "other"){

if (document.chmod.h_other.value == ""){

document.chmod.t_other.value=""

}else {

var a=(document.chmod.h_other.value);

b=a-(number);

c=eval(b);

document.chmod.h_other.value=c

document.chmod.t_other.value=c

}}

}}

</script>



<form name="chmod">

<input type="hidden" name="action" value="page_chmod">

<input type="hidden" name="name" value="' . $name . '">

<input name="h_owner" type="hidden" value="">

<input name="h_group" type="hidden" value="">

<input name="h_other" type="hidden" value="">

<table bgcolor="#000000" cellpadding="5" cellspacing="1">

<tr bgcolor="#ffffff">

       <td colspan="4"><font face="verdana" size="3"><b>Chmod: <i>' . $name . '</i></b></font></td>

</tr><tr bgcolor="#ffffff" align="center">

       <td><font face="verdana" size="-1"><b>Permission</b></font></td>

       <td><font face="verdana" size="-1"><b>Owner</b></font></td>

       <td><font face="verdana" size="-1"><b>Group</b></font></td>

       <td><font face="verdana" size="-1"><b>Other</b></font></td>

</tr><tr bgcolor="#ffffff" align="center">

       <td><font face="verdana" size="-1"><b>Read</b></font></td>

       <td><input type="checkbox" name="owner4" value="4" onclick="calculator(\'owner\', 4)"></td>

       <td><input type="checkbox" name="group4" value="4" onclick="calculator(\'group\', 4)"></td>

       <td><input type="checkbox" name="other4" value="4" onclick="calculator(\'other\', 4)"></td>

</tr><tr bgcolor="#ffffff" align="center">

       <td><font face="verdana" size="-1"><b>Write</b></font></td>

       <td><input type="checkbox" name="owner2" value="2" onclick="calculator(\'owner\', 2)"></td>

       <td><input type="checkbox" name="group2" value="2" onclick="calculator(\'group\', 2)"></td>

       <td><input type="checkbox" name="other2" value="2" onclick="calculator(\'other\', 2)"></td>

</tr><tr bgcolor="#ffffff" align="center">

       <td><font face="verdana" size="-1"><b>Execute</b></font></td>

       <td><input type="checkbox" name="owner1" value="1" onclick="calculator(\'owner\', 1)"></td>

       <td><input type="checkbox" name="group1" value="1" onclick="calculator(\'group\', 1)"></td>

       <td><input type="checkbox" name="other1" value="1" onclick="calculator(\'other\', 1)"></td>

</tr><tr bgcolor="#ffffff" align="center">

       <td><font face="verdana" size="-1"><b></b></font></td>

       <td><input type="text" name="t_owner" value="" size="1"></td>

       <td><input type="text" name="t_group" value="" size="1"></td>

       <td><input type="text" name="t_other" value="" size="1"></td>

</tr>

</table>

<input type="submit" value="CHMOD File: ' . $name . '">

</form></td></tr>');

                        }

                }

                elseif(isset($_GET["name"]) AND isset($_GET["t_owner"]) AND isset($_GET["t_group"]) AND isset($_GET["t_other"]) AND !isset($_GET["sure"])){

                    $name = $_GET["name"];

                    $chmod1[0] = $_GET["h_owner"];

                    $chmod1[1] = $_GET["h_group"];

                    $chmod1[2] = $_GET["h_other"];

                    $chmod = "0";

                    foreach($chmod1 as $k){

                        $chmod .= $k;

                    }

                    echo("<table BORDER=\"1\" CELLSPACING=\"2\" CELLPADDING=\"3\">");

                    echo("<tr><td align=\"left\" colspan=\"3\"><a href=\"" . $c_url2 .  "login.php\"><font color=\"#666666\"><i>Admin Panel / </a></font><a href=\"" . $c_self . "?action=page_chmod\">CHMOD File /</a></i> <b>" . $name . "</b> - <i>{" . $chmod . "}</i></td></tr>");

                    if(!chmod($name,$chmod)){

                        echo('<tr><td>Error setting permissions on: <b>' . $name . '</b> to: <i>' . $chmod . '</i>.</td></tr>');

                    }

                    else{

                        echo('<tr><td>Set permissoins on: <b>' . $name . '</b> to: <i>' . $chmod . '</i>.</td></tr>');

                    }

                    

                }

                echo("</table>"); 

And include this file before that code:

PHP Code:

//Edit, fill with your own information

$c_url = "http://localhost"; //your url without ending /

$c_path = "chmod/"; //the directory it is from root with ending /





//Assign Variables please do not edit

$c_url2 .= $c_url;

$c_url2 .= "/";

$c_url2 .= $c_path;

$c_url3 .= $c_url;

$c_url3 .= $c_name;

$c_self = $_SERVER['PHP_SELF'];

$c_name = $_SERVER["SCRIPT_NAME"]; 

Hope you got that all, and hope that works.

[phanbox]

Quote:

Originally Posted by moronovich

This is possible if you allow nobody access to your server using TCP/IP (especially FTP and SSH?). If you have good security awareness, this condition should never happen since whole directories are protected with strict rules which makes access to files and directories be more limited. To solve this issue, I usually firewall connection to my server and limit access to certain ports only (if it possible, to only open port 80 for world access is the most acceptable). There are also several tweaks you can do. Google is your friend for this..

Hi,

Thank you very much for your response. I've been google-ing further on the information you gave me. My understanding is that the user called "nobody" by default does not have login permissions. Without login permissions, "nobody" cannot have write access to the server using FTP or SSH. "nobody" can only write if it was coded in a server-side script. What you suggested is to firewall FTP and SSH access. Is this just in case "nobody" somehow gained login permissions and can now FTP and SSH? Please let me know if my understanding is flawed.

Thanks again.

[moronovich]

yap, that's right. that's just a special case which rarely happen in the real world. i'm sure if it happens, it's just about the human error and not the system.
below is default configuration for user nobody in FreeBSD:

Code:

root#chpass nobody
Login: nobody
Password: *
Uid [#]: 65534
Gid [# or name]: 65534
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /nonexistent
Shell: /sbin/nologin
Full Name: Unprivileged user
Office Location:
Office Phone:
Home Phone:
Other information:

you can see that it's almost impossible for nobody (somebody outside the server) to hijack the system since no login authority is given.

aynway, here i will show how user can trespass your system through ftp

Code:

root#chpass ftp
Login: ftp
Password: *
Uid [#]: 1073
Gid [# or name]: 5
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /var/ftp/
Shell: /bin/sh
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:

you can see that user ftp can log in to the server using shell
if somebody try to log in to your ftp server through shell and by chance is able to put some binary files to your server, you' re now at risk. if the application runs at backdoor and you don't know what it exactly does, just prepare for the worst (although it's not so necessary to be a paranoid ).

the hacker can also try to port scan your server (using nmap or such tools). if you don't manage your ports well, just let them open, beware, maybe it's the time for the server to be down.. but again, i say, it's not so necessary to be a paranoid.. people are kind..