I want to give full permissions to my lampp folder, where I have my php installed. What I did was:
sudo chmod -R 777 /opt/lampp
Currently I do not have another because I can not generate a document with php using its function fopen() without these permissions. Otherwise I get "permission denied".
However, I read that many people define it as insecure. Could someone explain what risks it entails?
No, it is not correct to give 777 permissions to the directory where you have posted on the internet.
Let's briefly review how permissions work:
The permissions that an element can have are divided into three parts:
And the resulting permission comes from adding each of the elements that are available. Therefore, if the owner has permission 7 it means that he can do everything with it: read it, edit it and execute it. If you have permission 5 it means that you can read it and execute it, but not write on it.
In addition, UNIX users are distributed in groups in something similar to labels: you can be in many groups. This allows that in addition to owning an element, you also have a "proximity" range if you belong to the group you own.
In summary, the permission hierarchy has three parts:
Thus, the permissions are explained with syntax of type: 641. This means, for example, that the owner has permissions 6 (remember, 4 + 2 = read + write), the other members of your group (s) (s) have 4 permissions on it (ie 4 = read) and all other people have permission 1 (ie 1 = execute).
Going back to your question: Is it correct to give 777 permissions to the folder where I have my PHP web project? .
To answer we must see what it means: as we have seen, this implies that all the files of the directory (and its subdirectories) can be read, written and executed by anyone.
Therefore, if for some reason someone manages to upload a file on your server (what you are implementing, in fact) it may well be that upload a small script that is the key to take control of your server. For example, you can use a script to modify files in the directory. Anyone. No problem.
References:
Give total permissions is not correct, especially in production. However, to assign those permissions recursively you can use:
chmod -R 777 /var/www
although I do not recommend those permissions.
You can give read permissions ( r ) and write ( w ) for files and read, write, and execute permissions ( x ), that is rwx , for folders.
Never give execution permission to files on your server.
Give total permissions recursively:
chmod -R 777 /var/www
Remove execution permissions only for regular files:
find /var/www -type f -exec chmod -x {} \;
With that configuration you should not have problems to create your file.
but I recommend you remove write permissions in folders where you will not upload or create files with php.
A recommended configuration for Apache in production is:
Assuming that:
1.- You must have a development group
groupadd development
2.- All files and folders must belong to apache and the group must be the development group
chown -R www-data:development /web
3.- For the user apache to put read-only permissions for files and read, execution for folders does not assign permissions for other users.
chmod -R 570 /web
4.- For folders in which you want to upload files, delete or create files give write permissions for Apache
chmod -R u + w / web / uploads
5.- For the development group put s
chmod -R g+rwxs /web/
6.- Remove execution permissions for the files the point
find /web -type f -exec chmod -x {} \;
7.- Add your user and all the necessary ones to the development group.
groups username
usermod -G development username
8.- Add umask in the profile for users who connect by ssh /home/user/.profile
umask 0002
9.- If you use sftp to upload files to the server add the umask in the subsystem line of the configuration file of sshd /etc/ssh/sshd_config
Subsystem sftp internal-sftp -u 0002
In point 3 and 5 the files are left with execution permissions but point 6 solves it
In point 7 with considering that if the user has other groups add them in comma-separated usermod the exit of the groups will tell you which groups to keep
usermod -G otrogrupo,development,... username