I've just been starting to use the Gallery feature of Couch and I got a notice from my ISP saying that they've scanned my account and found "potential security threats" and indications that my site "may" be compromised. Here's their reasons:

The following files/directories had insecure permissions (777), which
have been remediated.
/home/xxxxxx.com/couch/uploads/image/gallery
/home/xxxxxx.com/couch/uploads/tmp
/home/xxxxxx.com/couch/uploads/image/gallery/dsc00052.JPG
/home/xxxxxx.com/couch/uploads/image/gallery/dsc00051.JPG

They've been changed to 755 for folders and 644 for the files and everything appears to still work ok. Why are these created with executable permissions for all?

[cheesypoof]

Couch does set 0777 permissions in some cases. See https://github.com/CouchCMS/CouchCMS/search?utf8=%E2%9C%93&q=0777. @KK can comment further on the implications of this.

[KK]

The security concerns for 0777 permission are understandable.

However, as the following links suggest, are perhaps a bit overblown -
http://www.simplemachines.org/community ... pic=2987.0
http://www.simplemachines.org/community ... #msg246205

There are many many hosts out there who run the web-server as 'nobody' and hence require 0777 for it to be able to create folders/files.

Summary being that at the point 0777 becomes a real threat, we'll have other more serious problems to contend with.

That said, I agree that there is no harm in playing it safe and begin with the more restrictive 0755/0644 permissions and prompt the user to apply 0777 only when those fail.

I'll see to it that this issue is addressed.

Thanks.