Why is it so important to remove 777 permissions?

Solution 1:

PHP scripts run on the webserver. Leaving the permissions that way will make your web server user (www-data or apache) able to write on those files. In case of your script has some bug or vulnerability, those permissions will allow the web server (and thus, external agents) to change the contents of the files and filesystem. Things that can happen:

  • Loss of everything (the write permission is also permission to delete the files);
  • Addition of unwanted stuff: some attacks aim to add data to your site, like malicious scripts, fake pages or scripts for physhing and spamming. Since your webserver can write files to the filesystem, data can be uploaded anywhere it has the permissions.

So, yeah, it's a horrible idea to leave permissions on that state.

Solution 2:

777 is especially bad. It means anyone can delete files as well as create them. I create a file, you delete that file.

If you must use 777, then use 1777 -- this tells the OS to only allow the owner of the file to delete it.

Otherwise it is exactly as coredump said -- a bug in a script that allows me to write out new files or overwrite existing files allows me to do anything I want to your web server because I overwrite / create files as apache / nobody / www-data then the web server will be serving my malicious content instead of the original content.

Ideally the web server process can't write to the directories it reads from to avoid such problems.