So you probably just finished setting up your first ever web server that will host your tasks app, a nextcloud instance, and maybe some budget app that you want to use to track your spendings. Now you’re tooting the horns and having a big party.

After downloading and installing your new task app you run into an error.

Permission errors are so annoying! ;)

You see a permission error. Hastily scanning the interwebs you come across many threads that state “chmod 777 will help”. And indeed, some folks state that this got everything up and running. So you clearly have to adjust the permissions to get everything to work, right?

I mean, if you were owning a house and one of your tenants had a problem with entering their appartment, you would just remove all the doors for them, right? Right?!

Well, that’s what a chmod 777 somedirectory/ does.

It opens up the the directory and all of its files to every user on the server.

Photo by Alex Holyoake on Unsplash

777 means every user has the rights to not only access this folder, but also read, write and execute it’s files. Welcome chaos.

If you were the tenant of the aforementioned appartment, you might at first think “well, that worked like a treat, I am back in and I can finally take a shower!”

Security issues in two acts

Enters your neighbour.

“Hey Tom! Nice that you have all your doors removed. Just don’t mind me while I go through your account statements and also put my old shoes in your drawer. Ooooh, nice boxer you have there. I’ll just borrow the red and the grey one! And oh, you should be doing something about your colesterol, just as your doctor writes!”

Enters your janitor.

“I know we had an appointment for next week, but there’s no door, so I figured I could just.. oh, what a nice bedroom of yours. Is that mahogany on the headboard? I so love wood!”

You still in the shower? You shouldn’t. You should be scared as fog and screaming all over the place.

Now you might say “wait a moment, that does not apply to me, since I am the only user on my server, ha!”

While this may prove to be true, let me change the situation slightly to be right after all.

Every server on the internet is vulnerable

Your are not safe

Your server is not just a machine that you use at home. It’s a VPS with a hosting provider, or a virtual machine that you enabled portforwarding to from your home router. Now we’re talking internet!

Every server on the internet is vulnerable. Even more so, if you don’t take good care of permissions and updating your software frequently.

Let’s take a closer look.

You have your budget app, your task app, and your nextcloud instance running on the same server. Unforatunately your task app has a bug that allows the bad guys to upload files by calling a php file of it directly.

Although things like these should not happen, they do.

They happen every day. Multiple times. Per Minute. So it most certainly will for one app or another on your server. (We are all just humans after all.)

But not only is there a file uploaded to your server that does not belong there, it is also a php file, which can now be executed. This is because there are no well metered directives in your apache or nginx config. This is quite as common.

Yeah, I know. A problem never comes without company.

But back to the topic.

Calling the php file the attacker can now spawn a new connection to a random IP, trying to ssh into noumerus machines using random user names and passwords. Or the file is triggered and downloads go binaries and executes them to mine bitcoin on your CPU. Just to name two things of many that I saw on servers out in the wild.

If that’s not reason enough, we still have my example at hand. Just like your neighbour and the janitor, the attacker can now navigate through your file system. And since you chmod()ed your budget app’s diretory to 777 to “repair” the permission issues you had, the attacker can now change files of your budget app.

Maybe they just change it to display “p0wned!” on every page that you access.

Or think about someone putting in the work to read your database information, connecting to it and slowly getting all the information available from it.

Where your money comes from, where it goes, account information, transfer details. Everything.

(The money you lost by changing write permissions!) Photo by Mathieu Turle on Unsplash

With write permission you grantet to everyone they could even alter your most favourite feature of the app, which is automatically paying bills via your bank’s API. Only now the attacker will put another account number into every single payment that you send, redirecting the money to himself.

Your money never reaches the payee and you receive the dunning letters.

Nice work. The attacker pats himself on the back. You just paid for his Grapple Hackbook “Thin air” without noticing. Damn, I wish I had a Hackbook…

This example might seem a little exaggerated, but I guarantee that it might just as well have happened multiple times today.

What can you do?

Fix the permissions. Honestly. chmod is the tool at hand. Well metered, you can make sure everything is correct.

As a little guidance, try these steps:

Check user and group permissions.

On most systems, www-data is the correct user and/or group to run your webapp with Check for file permissions.

A pretty decent standard permission set is 755 for directories and 644 for files. This should take a fair bit of the way. Check whether or not php has the right user/group settings.

On Apache servers this usually is www-data but on nginx servers this might very well just be another user, depending on your setup.

Wrap up

The internet is a cruel place and by now you should understand, why it’s a bad idea to change permissions to 777 for production software, at least on servers that are accessible from everywhere in the world.

Using find you can quickly find all files and all directories and set them up as described with just 2 commands

user@box:/var/www/mytaskapp/# find . -type f -exec chmod 644 {} \;

This will find all files in the current directory and its subdirectories and apply permissions 664 to them.

user@box:/var/www/mytaskapp/# find . -type d-exec chmod 755 {} \;

This will find all directories within the current directory and apply permissions 755 to them.

One last thing to say:

There are certainly cases, where a careful change of permissions can help debugging an issue. I will go deeper into debugging these errors in a later post since today I merely scratched the surface.

While I am doing that, please don’t be the one letting Tom take your favourite pair of boxers.

Cheers! ;)