What does that mean, exactly? I'm not fluent in file permissions; is this considered bad security juju or what?

It means that the directories/files are world writable. In a web context it means that the magic web-server user (usually "http" or "www") has permissions to write all that stuff in a www/blog form to disk (read : index.html)

It also means that any other user on the same server can affect said files. Since most installs of Apache explicitly disallow HTTP "PUT" (read:write) statements, there is some illusory protection from random people all over the Internet, proper, writing to the unprotected directory.

On the other hand, if your webhost offers shell access it would be pretty easy for a bad person, with a login, to snoop out[1] one or more [ insert insecure weblog application here ] directories. From there, they could do something like install a PHP upload form and, bang, your weblog has turned into an instant warez node[2]. Or it may suddenly be "protected" by an .htaccess file you didn't write. That kind of thing.


[Y]ou can solve most of these problems if your webhost filters cgi-scripts through a "cgiwrapper" that suids to user 'you'. Since you have write permissions on your own directories, you don't have to extend the privilege to the web-server or anyone else. I haven't done a survey, but I suspect that any ISP/webhost worth it's salt uses a wrapper, which makes install docs that say "0777" all the more frustrating.

[1] Due to the nature and history of Unix systems, many of the auditing tools are readily available and you can find out a whole lot despite the best efforts of security-minded sysadmins...

[2] This is probably unlikely, since PHP is usually built with limits on file uploads but you get the idea.


see also : W3C World Wide Web Security FAQ - CGI (Server) Scripts and Practical UNIX & Internet Security, UNIX Security Checklist