Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's not normally the default, but there's a world of bad advice out there telling people to chmod everything to 777 so that their PHP CMS can upload files.

Hell, Wordpress recommends against it (and still doesn't do a great job explaining): https://codex.wordpress.org/Changing_File_Permissions#The_da... -- probably because people keep suggesting it. A search for "chmod 777" brings up plenty of examples.

Even chroot will mitigate this, but e.g. reseller types quite often don't have that level of competence.



The situation with default file permissions is already terrible enough that no host should ever have o+x on home directories. And once you remove that, it doesn't matter if everything inside is 777.


This doesn't work for setups with e.g. a single apache instance running as www-data.


Add the apache user to every customer's group. It can get into the files but no other users can.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: