[Discuss] file permission exucute questions

Dan Ritter dsr at randomstring.org
Sat Sep 28 13:54:03 EDT 2013


On Sat, Sep 28, 2013 at 05:38:38PM +0000, Eric Chadbourne wrote:
> Hi All,
> 
> Got a basic question for you.  On web servers I usually set files to
> 644 (-rw-r--r--).  A designer I'm working with keeps leaving files
> (-rw-r--r-x) with the last being execute.  Is this bad?  Why?

Yes. The executable flag means that the file is a script or binary that
a user should be able to execute.

That means that any file which can be overwritten by the web server
via user input is immediately available to execute via some other
vulnerability.

In any case, your designer should never have access to production
systems. They should upload to a configuration management system or a
QA system, and then your ops people should promote the QA-approved files
to production. In very small operations, the QA approval process
looks like this:

Designer: I put the changes you wanted on the QA server.
Client: I looked at them and they seem right to me.

-dsr-



More information about the Discuss mailing list