Surely now is the time for any extension that has an "option" to 777 or in the documentation "instructs" you to 777 to have a large and prominent warning about the dangers of this placed on their listing.
I understand the issue and sentiments, but I'm not convinced that this is yet another thing to lump on the JED editors. It's great to focus so finely on this issue but what are the implications for the workload of the JED people if the assumption is that it's the responsibility of the JED people to actually find this problem. Personally this is just a subset of vulnerability issues that can be encountered using a Joomla site.
To be clear, 777 is not advisable but sometimes the only (temporary) workaround on a minority of sites which aren't set up well (as long as you remember to change it back, aka, remember to lock your safety deposit box after you've done your business). When I've encountered this I encourage people to either employ an experienced Sys Admin to fix up their system or change to a host that does it for them.
An extension that advertises 777 as a carte blanche solution is really not doing the right thing (no argument there). An extension that allows you to configure chmod-ing is perfectly fine (though I'd avoid it personally because if your site is set up correctly, you don't need it) but defaulting to 777 is unwise. An FAQ on a vendor site that says something to the effect of "if all else fails, temporarily 777 folders, do X, Y and Z and then change it back and understand these risks" is also acceptable. Ultimately a vender cannot have full control over their customers' sites. However, chmod-ing has no affect on security of the of the executed code itself - other vulnerabilities could exist regardless of what the file permissions are.
For me, a reasonable solution could be:
* To ensure we have a good project wiki page explaining file permissions (if not there already) that extension developers can easily reference if they so choose (ie, make it easy to do "best practice").
* Define exactly what is bad practice as far as an extension is concerned.
* Allow that bad practice to trigger getting listed on the Vulnerable Extensions List (VEL).
I don't think this is specifically a JED issue other than handling this how any other extension on the VEL is handled (this isn't a special case, it's just one thing in a long list of possible security issues). I think the VEL would be sufficient incentive for developers to do the right thing (as long as we have defined what the wrong thing is).
Andrew Eddie - Tweet @AndrewEddie
- Expert videos and tutorials.http://www.kiva.org/team/joomla
- Got Joomla for free? Pay it forward and help fight poverty.