How to prevent a new user from doing anything dangerous?
This is as designed. And worse. chmod 777 means... "I'd like the owner, anyone in his group, and anyone at all to have read, write and execute permissions"
Which is pretty terrible.
And for a web server, 777 is not optimal. 755 (Owner has full permissions group and others have read + execute) is a common default but from what you've said you want at least read-write, or read-write execute for the owner (the web server user), and maybe the group, and no permissions for the user. There's a more complete questions on what appropriate permissions levels are on serverfault but consider something like 640 or 740.
that said, you could also put the user in his own little world - setting up chroot to keep the user in his own space in the system. There's guides floating around for doing this - for example oli's excellent answer here which may be an option depending on your needs.
Essentially, it breaks down like this:
R = 4 (read)
W = 2 (write)
X = 1 (execute)
So, read permissions only would be 4, read and write would be 6, read and execute would be 5, and all (read, write, execute) is 7. This is how you compute a permission octet value for an owner, owner's group, or everyone.
When applying those permissions with chmod
to a file or directory location, the numbers computed above are applied like this, with an octet each for owner, group, and everyone:
$ chmod _ _ _ <file or directory>
| | |
owner-------- | |
owner's group-- |
everyone---------
So if I wanted to give myself and my group read, write and execute permissions to a folder that I owned, but I didn't want everyone to even be able to read it, I'd use:
$ chmod 770 myDirectory
For more information, check the man page for chmod:
$ man chmod
As others have mentioned you should not have permissions set to 777
Here's a helpful reference sheet that i use.
+-----+---+--------------------------+
| rwx | 7 | Read, write and execute |
| rw- | 6 | Read, write |
| r-x | 5 | Read, and execute |
| r-- | 4 | Read, |
| -wx | 3 | Write and execute |
| -w- | 2 | Write |
| --x | 1 | Execute |
| --- | 0 | no permissions |
+------------------------------------+
You can use the octal notation, where the three digits correspond to the user, then group, then other.
Perhaps this might help
+------------+------+-------+
| Permission | Octal| Field |
+------------+------+-------+
| rwx------ | 700 | User |
| ---rwx--- | 070 | Group |
| ------rwx | 007 | Other |
+------------+------+-------+