personally I wouldn't pay a host that I had to allow 777 for

¥

Better solution: chgrp the directory to the group under which PHP is running, e. g. http or www-data (or even your own user group? Depends on your config.). Then chmod the directory to 775 (or 770 if you're paranoid ;)).

Tblue

personally I wouldn't pay a host that I had to allow 777 for

Thank you... I won't pay myself anymore. :lol:

Better solution: chgrp the directory to the group under which PHP is running, e. g. http or www-data (or even your own user group? Depends on your config.). Then chmod the directory to 775 (or 770 if you're paranoid ).

Thank you for this suggestion. I'll experiment with it to see what happens. Meantime, would you know the answer to my original question, "[u]exactly[/u] what are the security risks of changing permissions on /blogs/media/"?

By the way - Happy Thanksgiving!

Best wishes,
HGovernick

that'd still allow script a in /home/user_a/ to write to /home/user_b ;)

¥

hgovernick wrote:

personally I wouldn't pay a host that I had to allow 777 for

Thank you... I won't pay myself anymore. :lol:

hehe, sorry, no harm no foul ;)

look into suphp ;)

hgovernick wrote:

Meantime, would you know the answer to my original question, "[u]exactly[/u] what are the security risks of changing permissions on /blogs/media/"?

On most servers, it means you're asking to be bitch slapped by skiddies/spammers ;)

¥

Sure, if you chmod the directory to 777 you allow *everyone* to read, list and modify its contents. 777 is the same as rwxrwxrwx, that means read access, write access and the permission to list the directory contents for user, group and everybody else. See also the chmod man page.

.... and if you chgrp the folder/files to "www-apache|nobody|webserver|etc" ?

¥

Thank you all. I'm just learning my way around b2evo, so for the time being I'm not going to change the permissions.

It's my intention to (try to) create a blog in which I can import (certain) news feeds into the blog, and allow visitors to add comments to the imported articles (ala HuffPost, etc.).

I'll also (attempt to) add my own original articles about various issues facing our nation, and allow comments to those articles.

I'm doing this (as an attempt) to gather a community of people who think "out of the box", and who may add valuable insights into the critical issues facing us - economy, etc.

I'm somewhat frustrated with most of the more popular news blogs out there whose writers seem (to me at least) to be stuck in "common thinking for uncommon issues" mode.

Thank you again.

Best wishes,
HGovernick

The risk is that one day you will notice that each folder you CHMODed to 777 has an extra pair of files - a php thingie and a .htaccess file. So you poke your nose in and figure out these files are a barely-disguised redirect for "file not found" requests, meaning you've been hacked. So you hit the forums and talk to your host/self/whatever and figure out that suphp is the thing your server needs. The risk is small but real - it comes from, at the very least, those who share your server with you. It allows those on your server to upload files to your portion of the server, which obviously can do all sorts of malicious stuff. Suphp totally kills that risk ... not that I have any idea of "how" it eliminates the risk :)

So yeah it happened to me LONG AFTER I asked the same question quite a few times and didn't get an answer other than "don't do that". My host had the answer before these forums so hell yes I stayed with them. Now I chmod nothing figuring if the server can't let me do my thing without opening up holes for others to do their thing then its time to find a new server.

Thank you EdB,

Yours is the answer I was looking for, and what I had suspected. It would then seem to me that b2e requiring permissions in that specific directory would be a security risk inherent in the software itself. In other words, my server will "let me do my thing" if I wanted to follow the directions of b2e, but following those directions would be a possible security compromise.

Best wishes

The security risk is inherent of any server app that needs to write files ( galleries, blogs, forums ... anything that allows uploads really ). The only other option is to store all the files in a database, but that's inefficient ;)

¥