Inspired by the discussion in this question.
We have all been taught that leaving directories or files on Linux-based web hosting with the permission level of 777 is a bad thing, and to set always as little permissions as necessary.
I am now curious as to where exactly lies the danger of exploitation, specifically in a PHP / Apache context.
After all, a PHP script file can be executed from the outside (i.e. through a call to the web server, and subsequently to the interpreter) no matter whether it is marked as "executable", can’t it? And the same applies to files called through the command-line php interpreter, right?
So where exactly is the vulnerability with 777? Is it the fact that other users on the same machine can access files that are made world writable?
Here’s one scenario:
system()call in it to the shell script.If this directory is 777, that means that anybody (including the user apache, which is what php script will execute as) can execute it! If the execute bit is not set on that directory and presumably the files inside the directory, then step 3 above would do nothing.
edit from the comments: it’s not the PHP file’s permissions that matter, it’s the
system()call inside the PHP file that will be executed as a linux system call by the linux user apache (or whatever you have apache set to run as), and that is PRECISELY where the execution bit matters.