Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#21 2008-03-24 12:50:40

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

Files with 644 permissions and for 755 for directories is okay.
But needing 777 permissions for the directories to make them writable, that is definitely NOT okay. If that’s on a shared webhost, consult the tech support and ask them if it’s safe to set permission to 777.

Offline

#22 2008-03-24 13:24:14

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: Important Security Question

Ruud,

I understand that. Rather my question was, if the parent is set to 755 does setting a child to 777 override the privileges of the parent?

From what you said earlier…

…so if the parent is set to 700, then only the owner of that directory can access the parent directory…. but if that’s true, then it’s pointless to make set the child directory to 777.

…it sounded like it wouldn’t have any effect?!

Offline

#23 2008-03-24 14:27:04

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

A 777 child directory inside a 755 parent directory would work, but as I said before: please assume that 777 is not safe unless your webhost explicitly approves it.

Offline

#24 2008-03-24 14:33:44

rloaderro
Archived Plugin Author
From: Costa Rica
Registered: 2006-01-05
Posts: 190
Website

Re: Important Security Question

Since, no one has mentioned it before – what about 775? Not as safe as 755, not as vulnerable as 777? Anyway it was as secure as I was able to go on a shared host since 755 didn’t work…


Travel Atlas * Org | Start Somewhere

Offline

#25 2008-03-24 14:36:56

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,251
Website

Re: Important Security Question

My host recommends 755 but textpattern still complains
Image directory is not writable
File directory path is not writable


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#26 2008-03-24 14:39:38

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: Important Security Question

OK, thanks. I’ll have a chat with them.

Offline

#27 2008-03-24 15:28:54

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,360
Website

Re: Important Security Question

I have also the same pb with an old host, but dont forget that 777 says: anyone can write on the directory, but the anyone (user can be a process) must have access to the system (username, password)! or am i wrong?

Online

#28 2008-03-24 16:03:25

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

775 is probably as unsafe as 777.
Or to phrase it differently: if your scripts are not executed by your own user name (but instead by a generic web server process user like www, www-data or nobody), causing the created files (image/file uploads) to be owned by someone else than your own user name, then you’re should be worried if you’re on a shared hosting server.

anyone can write on the directory, but the anyone (user can be a process) must have access to the system (username, password)! or am i wrong?

True. However, when using 777 permissions it just requires one vulnerable script in any of the hosted domains, to mess with all the other domains hosted on that same server, while with 755 (or lower) only the vulnerable domain is affected.

Offline

#29 2008-03-25 18:42:39

zero
Member
From: Lancashire
Registered: 2004-04-19
Posts: 1,313
Website

Re: Important Security Question

I use Filezilla but it doesn’t show the owner by default. I discovered you have to choose Edit | Settings | Interface Settings | Remote File List and you can select to show Owner/Group


Wondrous Healing Wondrous ways to a healthy old age
Safe Reiki Harmless natural healing.
Gud One Blog

Offline

#30 2008-03-27 23:35:33

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,410

Re: Important Security Question

ruud wrote:

…If that’s on a shared webhost, consult the tech support and ask them if it’s safe to set permission to 777.

I’ve asked my host.
They said that – though is always prefearable not to use 777 – I’m still allowed to do it.
They warned me to always use updated software to prevent possible code vulnerabilities
because the problem could be only caused by a script I’m running on my site .
Anyway – they said – they’re doing their best to ensure security (mod_security, firewall…).

So, ruud, what you think about their answer? Does it sound reliable or should I change host (which I hope to avoid if not strictly necessary)?
Thanks

Offline

Board footer

Powered by FluxBB