Important Security Question

MattD · 2008-03-24 14:36:56

My host recommends 755 but textpattern still complains
Image directory is not writable
File directory path is not writable

masa · 2008-03-24 14:39:38

OK, thanks. I’ll have a chat with them.

Dragondz · 2008-03-24 15:28:54

I have also the same pb with an old host, but dont forget that 777 says: anyone can write on the directory, but the anyone (user can be a process) must have access to the system (username, password)! or am i wrong?

ruud · 2008-03-24 16:03:25

775 is probably as unsafe as 777.
Or to phrase it differently: if your scripts are not executed by your own user name (but instead by a generic web server process user like www, www-data or nobody), causing the created files (image/file uploads) to be owned by someone else than your own user name, then you’re should be worried if you’re on a shared hosting server.

anyone can write on the directory, but the anyone (user can be a process) must have access to the system (username, password)! or am i wrong?

True. However, when using 777 permissions it just requires one vulnerable script in any of the hosted domains, to mess with all the other domains hosted on that same server, while with 755 (or lower) only the vulnerable domain is affected.

zero · 2008-03-25 18:42:39

I use Filezilla but it doesn’t show the owner by default. I discovered you have to choose Edit | Settings | Interface Settings | Remote File List and you can select to show Owner/Group

redbot · 2008-03-27 23:35:33

ruud wrote:

…If that’s on a shared webhost, consult the tech support and ask them if it’s safe to set permission to 777.

I’ve asked my host.
They said that – though is always prefearable not to use 777 – I’m still allowed to do it.
They warned me to always use updated software to prevent possible code vulnerabilities
because the problem could be only caused by a script I’m running on my site .
Anyway – they said – they’re doing their best to ensure security (mod_security, firewall…).

So, ruud, what you think about their answer? Does it sound reliable or should I change host (which I hope to avoid if not strictly necessary)?
Thanks

Mary · 2008-03-27 23:51:22

If your permissions on those folders are that loose, anyone could upload a malicious script and execute it without your knowledge. I’d ask them for further information (proof) of their claim.

MattD · 2008-03-28 05:44:42

It borders irresponsible to have the admin display a message instructing you to set the permissions to 777.

ruud · 2008-03-28 07:38:01

because the problem could be only caused by a script I’m running on my site

If that’s true, then it’s okay… but I do wonder how they achieve that (assuming you’re not on a VPS that just hosts your domain).

redbot · 2008-03-28 11:09:28

Mary wrote:

If your permissions on those folders are that loose, anyone could upload a malicious script and execute it without your knowledge. I’d ask them for further information (proof) of their claim.

Mary,
I re-asked them.
They said that it’s not true that – as you said – “anyone could upload a malicious script”,
because to do it one must have acces to the server and to my account.
Furthermore they said they have other levels of protection in addiction to the filesystem in order to filter the capacity of anonimous users to access and modify my files.
They didn’t give me other infos about the “other levels of protection in addiction to the filesystem” (probably they thought – and rightly so – they were talking with a non-expert so they tried to keep it simple).

ruud wrote:

but I do wonder how they achieve that (assuming you’re not on a VPS that just hosts your domain)

No, I’m not on a VPS.

ruud · 2008-03-28 11:45:07

If they don’t provide details on how this protection works, my advice would be to switch to a different webhost.

Matt, you’re right and it should be changed (and will be changed).

rloaderro · 2008-03-28 12:48:33

If they don’t provide details on how this protection works, my advice would be to switch to a different webhost.

I just wanted to say that it’s not impossible that they have other levels of protection in place as they suggest. For example, with something like OSSEC they could set up filters to prevent other users from running scripts that would affect your account. I find it odd for an ISP to recommend 777 if they were not confident of their security measures – if your account gets hacked – such as mine was – they are just as much responsible if something goes wrong as you are. In my case it was the ISP that was contacted about my hacked site and were under legal obligation to fix or remove it (the latter of which would conflict with their other legal obligation which is to me under our terms of service). At the same time it would not be unusual for an ISP to put their lesser minds in charge of the shared hosting servers – these are their budget customers after all – and I wouldn’t be surprised if they did not know, or care, what happens there.

Best solution? I wouldn’t recommend switching to another shared hosting environment at another ISP – you are treating the symptom and not the underlying problem. Rather I would highly recommend investing in a dedicated server. At one time a DS ran $300 / month, these days you can easily find them for under $100. If that’s still too much go for a VPS – you can find one of those for $40-50 / month (still I would highly recommend the DS over the VPS). Consolidate all your sites on the DS and you will find you are actually saving money. Instead of having the ISP bill your clients directly, bill them yourself (marking up of course, for the extra effort of maintaining the DS) and you will find you are now making extra money. Use a panel such as PLESK, add Spam Assassin, configure your DNS blacklists, add something like OSSEC for extra security, and rolling daily backups to an external FTP (usually an extra $5 / month from any ISP) and you will find maintaining your own server results in much better performance, more economical sense and minimal effort (once past the learning curve natch). Another benefit of having your own DS? Welcome to the modern internet: PHP 5, MySQL 5, RH/CentOS 5/6, etc.. things that are almost impossible to find on any shared hosting environment.

Edit: I just want to add I am not recommending that you become a hosting reseller – just your own sites that you have developed. Don’t put anything on your server that you are not familiar / confident of what’s in the source.

Last edited by rloaderro (2008-03-28 12:52:37)

Textpattern CMS

Textpattern CMS support forum

#25 2008-03-24 14:36:56

Re: Important Security Question

#26 2008-03-24 14:39:38

Re: Important Security Question

#27 2008-03-24 15:28:54

Re: Important Security Question

#28 2008-03-24 16:03:25

Re: Important Security Question

#29 2008-03-25 18:42:39

Re: Important Security Question

#30 2008-03-27 23:35:33

Re: Important Security Question

#31 2008-03-27 23:51:22

Re: Important Security Question

#32 2008-03-28 05:44:42

Re: Important Security Question

#33 2008-03-28 07:38:01

Re: Important Security Question

#34 2008-03-28 11:09:28

Re: Important Security Question

#35 2008-03-28 11:45:07

Re: Important Security Question

#36 2008-03-28 12:48:33

Re: Important Security Question

Board footer