Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#25 2008-03-24 14:36:56

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: Important Security Question

My host recommends 755 but textpattern still complains
Image directory is not writable
File directory path is not writable


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#26 2008-03-24 14:39:38

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: Important Security Question

OK, thanks. I’ll have a chat with them.

Offline

#27 2008-03-24 15:28:54

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: Important Security Question

I have also the same pb with an old host, but dont forget that 777 says: anyone can write on the directory, but the anyone (user can be a process) must have access to the system (username, password)! or am i wrong?

Offline

#28 2008-03-24 16:03:25

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

775 is probably as unsafe as 777.
Or to phrase it differently: if your scripts are not executed by your own user name (but instead by a generic web server process user like www, www-data or nobody), causing the created files (image/file uploads) to be owned by someone else than your own user name, then you’re should be worried if you’re on a shared hosting server.

anyone can write on the directory, but the anyone (user can be a process) must have access to the system (username, password)! or am i wrong?

True. However, when using 777 permissions it just requires one vulnerable script in any of the hosted domains, to mess with all the other domains hosted on that same server, while with 755 (or lower) only the vulnerable domain is affected.

Offline

#29 2008-03-25 18:42:39

zero
Member
From: Lancashire
Registered: 2004-04-19
Posts: 1,470
Website

Re: Important Security Question

I use Filezilla but it doesn’t show the owner by default. I discovered you have to choose Edit | Settings | Interface Settings | Remote File List and you can select to show Owner/Group


BB6 Band My band
Gud One My blog

Offline

#30 2008-03-27 23:35:33

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,410

Re: Important Security Question

ruud wrote:

…If that’s on a shared webhost, consult the tech support and ask them if it’s safe to set permission to 777.

I’ve asked my host.
They said that – though is always prefearable not to use 777 – I’m still allowed to do it.
They warned me to always use updated software to prevent possible code vulnerabilities
because the problem could be only caused by a script I’m running on my site .
Anyway – they said – they’re doing their best to ensure security (mod_security, firewall…).

So, ruud, what you think about their answer? Does it sound reliable or should I change host (which I hope to avoid if not strictly necessary)?
Thanks

Offline

#31 2008-03-27 23:51:22

Mary
Sock Enthusiast
Registered: 2004-06-27
Posts: 6,236

Re: Important Security Question

If your permissions on those folders are that loose, anyone could upload a malicious script and execute it without your knowledge. I’d ask them for further information (proof) of their claim.

Offline

#32 2008-03-28 05:44:42

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: Important Security Question

It borders irresponsible to have the admin display a message instructing you to set the permissions to 777.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#33 2008-03-28 07:38:01

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

because the problem could be only caused by a script I’m running on my site

If that’s true, then it’s okay… but I do wonder how they achieve that (assuming you’re not on a VPS that just hosts your domain).

Offline

#34 2008-03-28 11:09:28

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,410

Re: Important Security Question

Mary wrote:

If your permissions on those folders are that loose, anyone could upload a malicious script and execute it without your knowledge. I’d ask them for further information (proof) of their claim.

Mary,
I re-asked them.
They said that it’s not true that – as you said – “anyone could upload a malicious script”,
because to do it one must have acces to the server and to my account.
Furthermore they said they have other levels of protection in addiction to the filesystem in order to filter the capacity of anonimous users to access and modify my files.
They didn’t give me other infos about the “other levels of protection in addiction to the filesystem” (probably they thought – and rightly so – they were talking with a non-expert so they tried to keep it simple).

ruud wrote:

but I do wonder how they achieve that (assuming you’re not on a VPS that just hosts your domain)

No, I’m not on a VPS.

Offline

#35 2008-03-28 11:45:07

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Important Security Question

If they don’t provide details on how this protection works, my advice would be to switch to a different webhost.

Matt, you’re right and it should be changed (and will be changed).

Offline

#36 2008-03-28 12:48:33

rloaderro
Archived Plugin Author
From: Costa Rica
Registered: 2006-01-05
Posts: 190
Website

Re: Important Security Question

If they don’t provide details on how this protection works, my advice would be to switch to a different webhost.

I just wanted to say that it’s not impossible that they have other levels of protection in place as they suggest. For example, with something like OSSEC they could set up filters to prevent other users from running scripts that would affect your account. I find it odd for an ISP to recommend 777 if they were not confident of their security measures – if your account gets hacked – such as mine was – they are just as much responsible if something goes wrong as you are. In my case it was the ISP that was contacted about my hacked site and were under legal obligation to fix or remove it (the latter of which would conflict with their other legal obligation which is to me under our terms of service). At the same time it would not be unusual for an ISP to put their lesser minds in charge of the shared hosting servers – these are their budget customers after all – and I wouldn’t be surprised if they did not know, or care, what happens there.

Best solution? I wouldn’t recommend switching to another shared hosting environment at another ISP – you are treating the symptom and not the underlying problem. Rather I would highly recommend investing in a dedicated server. At one time a DS ran $300 / month, these days you can easily find them for under $100. If that’s still too much go for a VPS – you can find one of those for $40-50 / month (still I would highly recommend the DS over the VPS). Consolidate all your sites on the DS and you will find you are actually saving money. Instead of having the ISP bill your clients directly, bill them yourself (marking up of course, for the extra effort of maintaining the DS) and you will find you are now making extra money. Use a panel such as PLESK, add Spam Assassin, configure your DNS blacklists, add something like OSSEC for extra security, and rolling daily backups to an external FTP (usually an extra $5 / month from any ISP) and you will find maintaining your own server results in much better performance, more economical sense and minimal effort (once past the learning curve natch). Another benefit of having your own DS? Welcome to the modern internet: PHP 5, MySQL 5, RH/CentOS 5/6, etc.. things that are almost impossible to find on any shared hosting environment.

Edit: I just want to add I am not recommending that you become a hosting reseller – just your own sites that you have developed. Don’t put anything on your server that you are not familiar / confident of what’s in the source.

Last edited by rloaderro (2008-03-28 12:52:37)


Travel Atlas * Org | Start Somewhere

Offline

Board footer

Powered by FluxBB