Textpattern CMS

#1 2012-10-17 15:36:11

linguist

Member

Registered: 2007-11-03

Posts: 24

New Apache ITK, problem with permissions, Textpattern behaviour

Hello!

My hosting provider recently upgraded to Apache 2.2 ITK (mpm-itk). As a result, my Diagnostics warnings (TXP 4.5.1) that /files/ and /images/ are not writable have disappeared. (I had their permissions lowered to 700 because I don’t need to upload anything, and these folders are empty.) My web developer did some checking and found that with the permissions set to rwx, the function PHP is_writeable() responds with TRUE for these and other folders.

After contacting my hosting support I learned that in this version of Apache, users’ permissions are the same as the owner’s permissions, which in my understanding may be a security issue. Hosting support says that this is perfectly safe as long as my CMS does not have any security holes or vulnerabilities. They also suggested that if I’m worried and think that it is necessary to safeguard against something, then I could change permissions to 555, and raise them when necessary, and then go back down when finished.

To me it seems pretty strange to have to do that on a standard shared virtual hosting. Should I start thinking about changing my hosting provider? Should I lower permissions as suggested? Of course, it’s not only /files/ and /images/ I’m concerned about. How would my Textpattern work if the permissions of its folders and files were set lower? Is it safe to just leave it as it is now? I would really appreciate your advice on this matter. Thank you.