Are 777 permissions dangerous with fwrite?

Question

I am in the process of testing my php form and logging all requests into a separate file. The purpose is to find out if the form is being used for spam and to hopefully eliminate it.

When using fwrite() to log the requests, is it dangerous or unnecessary to use 777 permissions? What is the alternative?

Answer 1

You only need permission for the user the application is running as to be able to write to the file. It is also sometimes convenient for administrators to be able to read the file. Other than that, nobody needs access. Thus, 0640 are the most reasonable permissions for such a file.

In particular, nobody needs to execute the file, which is one of the bits set with 0777 . The execute bit is only needed for directories. (And executable programs, but that's not in play here.)

0640 = user/owner read/write, group read only, other no access
0777 = user/owner read/write/execute, group read/write/execute, other read/write/execute

The umask is pretty useful for getting the permissions right. Instead of creating a file with explicit permission, you use umask to set a permissions template. Since directories need executable permissions and files do not, umask will mask permissions more sanely for the different types of files than setting them explicitly. For example, in your case:

umask(027); // Owner permissions unchanged, Group permissions mask 2, drop all other permissions
fopen('foo', 'w', 0777); // Creates file with *0640* permissions, because of mask
mkdir('bar', 0777); // Creates dir with *0750* permissions, because of mask

Answer 2

777 permission is set default by parent dir or php settings. You can change it by chmod("/somedir/somefile", 0640); Check manual

And yes, this is ambitious and can be dangerous to have executable rights on files created by forms.

Good luck!