Scope of security vulnerability on world-writeable folders?

Greetings all...

As I'm hardly an expert on the internals of UNIX/Linux, I would very much appreciate it if someone could give me an actual definition of what "world-writeable" means.

I realise that some CGI scripts require a world-writeable folder in order to function, at the expense of creating a security vulnerability on the system. I'm primarily looking for information on what the scope of this security vulnerability is.

For example... If I'm in a shared hosting environment, and I set a folder within my HTML document root to be "world-writeable"... Does it mean that any other authenticated user on that system can write to the folder, or does it mean that absolutely anyone else on the entire Internet can write to the folder if they know its path? Or...?

Thank you for your attention!

- S A Curnew

World writable files mean that anyone inside or outside of your group (hey.. that's EVERYONE on your system ), can write to the files. That is, all of the users, of all of the groups on your system can write to those files.

World writable files would generally NOT be considered a good idea for anything that was remotely important. Some commands will create world writable files, but otherwise, you shouldn't be assigning RWX permissions for everyone. It's probably best to just not maintain any world writable directories at all.

Some things need to be world writable though. So don't go making /tmp, etc. non-world writable.

Anything created by and used by a user or only a group of users never has to be world-writable. If nothing else, you should be able to set up a group which will allow all users who need to write to the file, and then give the group write access.

Thanks muchly for the replies, all.

I also appreciate the advice that nothing remotely important, or anything that is only used by a single user or group of users, should be world-writeable...

However, if you're in a shared hosting environment, you don't have the root access necessary to start configuring user and group assignments... And it's a fact of life that some CGI and PHP scripts just don't work unless you configure a world-writeable folder for them to work with... Thus why I was seeking more information on the exact security ramifications of their existence.

- S A Curnew

What scripts are you using that need everyone to have full permissions on a directory? Even if your scripts are running as the www user, only the www user MUST have full permissions to such and such a directory. You can then (and probably should) give everyone else except the necessary programmers/maintainers absolutely NO permissions to it. That way, people can't read your CGI files and exploit them locally. Then, if you've practiced good security measures in your CGI scripting, any exploits that are executed would have to be done from the web (which won't happen, because you've practiced good security measures in your scripting... right?).

[clarification]
Epsilon - thanks for pointing that out. Clarify: Anything that you or any of your users create probably doesn't have to world-writable and probably shouldn't be unless it's some sort of dumping ground for junk like /tmp (even then... best just not to do it).
[/clarification]