Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#31 2008-03-27 23:51:22
- Mary
- Sock Enthusiast
- Registered: 2004-06-27
- Posts: 6,236
Re: Important Security Question
If your permissions on those folders are that loose, anyone could upload a malicious script and execute it without your knowledge. I’d ask them for further information (proof) of their claim.
Offline
Re: Important Security Question
It borders irresponsible to have the admin display a message instructing you to set the permissions to 777.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: Important Security Question
because the problem could be only caused by a script I’m running on my site
If that’s true, then it’s okay… but I do wonder how they achieve that (assuming you’re not on a VPS that just hosts your domain).
Offline
#34 2008-03-28 11:09:28
- redbot
- Plugin Author
- Registered: 2006-02-14
- Posts: 1,410
Re: Important Security Question
Mary wrote:
If your permissions on those folders are that loose, anyone could upload a malicious script and execute it without your knowledge. I’d ask them for further information (proof) of their claim.
Mary,
I re-asked them.
They said that it’s not true that – as you said – “anyone could upload a malicious script”,
because to do it one must have acces to the server and to my account.
Furthermore they said they have other levels of protection in addiction to the filesystem in order to filter the capacity of anonimous users to access and modify my files.
They didn’t give me other infos about the “other levels of protection in addiction to the filesystem” (probably they thought – and rightly so – they were talking with a non-expert so they tried to keep it simple).
ruud wrote:
but I do wonder how they achieve that (assuming you’re not on a VPS that just hosts your domain)
No, I’m not on a VPS.
Offline
Re: Important Security Question
If they don’t provide details on how this protection works, my advice would be to switch to a different webhost.
Matt, you’re right and it should be changed (and will be changed).
Offline
Re: Important Security Question
If they don’t provide details on how this protection works, my advice would be to switch to a different webhost.
I just wanted to say that it’s not impossible that they have other levels of protection in place as they suggest. For example, with something like OSSEC they could set up filters to prevent other users from running scripts that would affect your account. I find it odd for an ISP to recommend 777 if they were not confident of their security measures – if your account gets hacked – such as mine was – they are just as much responsible if something goes wrong as you are. In my case it was the ISP that was contacted about my hacked site and were under legal obligation to fix or remove it (the latter of which would conflict with their other legal obligation which is to me under our terms of service). At the same time it would not be unusual for an ISP to put their lesser minds in charge of the shared hosting servers – these are their budget customers after all – and I wouldn’t be surprised if they did not know, or care, what happens there.
Best solution? I wouldn’t recommend switching to another shared hosting environment at another ISP – you are treating the symptom and not the underlying problem. Rather I would highly recommend investing in a dedicated server. At one time a DS ran $300 / month, these days you can easily find them for under $100. If that’s still too much go for a VPS – you can find one of those for $40-50 / month (still I would highly recommend the DS over the VPS). Consolidate all your sites on the DS and you will find you are actually saving money. Instead of having the ISP bill your clients directly, bill them yourself (marking up of course, for the extra effort of maintaining the DS) and you will find you are now making extra money. Use a panel such as PLESK, add Spam Assassin, configure your DNS blacklists, add something like OSSEC for extra security, and rolling daily backups to an external FTP (usually an extra $5 / month from any ISP) and you will find maintaining your own server results in much better performance, more economical sense and minimal effort (once past the learning curve natch). Another benefit of having your own DS? Welcome to the modern internet: PHP 5, MySQL 5, RH/CentOS 5/6, etc.. things that are almost impossible to find on any shared hosting environment.
Edit: I just want to add I am not recommending that you become a hosting reseller – just your own sites that you have developed. Don’t put anything on your server that you are not familiar / confident of what’s in the source.
Last edited by rloaderro (2008-03-28 12:52:37)
Travel Atlas * Org | Start Somewhere
Offline
#37 2008-03-28 16:31:55
- redbot
- Plugin Author
- Registered: 2006-02-14
- Posts: 1,410
Re: Important Security Question
ruud, rloaderro, mary
first of all many thanks for your advice, very appreciated.
Though I understand what ruud says, this time I tend to agree with rloaderro.
They seemed to be quite confident and supportive about this so I tend to trust them (hope I will not regret it).
Considering also that they have a good reputation I think that, at least for now, I’ll stick with them.
And for what concerns rloaderro’s suggestions, thank you, but for now the swich to VPS is completely out of reach both economically than mentally (I’m not so well-versed in server things and I’m overwhelmed by another billion things now, not considering this is not my primary job).
Offline
Re: Important Security Question
My host has finally come back and told me that for the php script to write to the folder permissions must be 777 or 666. I’ve asked about the security of this as I know this would mean anyone could write to the folder. Are there shared hosts that are known to have a safe solution to this? I’ve had other problems and I am thinking of moving my 3 sites.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: Important Security Question
With 666 folder permissions, your folder becomes unusable. You can’t create, delete or even read files in such a folder. In fact, you won’t even be able to determine who owns the files, how big they are and what the permisions are.
I don’t have a recommendation for hosting, since I host all my websites myself.
Offline
Re: Important Security Question
Matt_D, check out the Textbook page. Before you sign up with any of them, ask about permissions.
Last edited by jm (2008-03-28 18:34:45)
Offline
Re: Important Security Question
Thanks, mine is listed under “Hosts to avoid”. Other than this the only trouble i’ve had from them is slow support. I’ve got 6 months left on my plan (3 of which were free) so I had to leave now. I may need to make due until it’s up.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: Important Security Question
I would definitely move. I was hosted through IX for 3 days – everything was a “security risk,” even SFTP (right!), according to support. The cancellation process sucks though – you have to wait for them to call you and pester you about why you want to cancel.
Offline
Re: Important Security Question
From my host who I think I will be ditching soon
“On our linux servers php is configured with Apache and to be able to write into folders properly using php application you should chmod them to 777 permission mask. You absolutely right and it’s not the best permissions from the point of security, because anyone can write into this folder if 777 permission mask is set. Unfortunately there is no way to write into directories without 777 permissions set.”
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: Important Security Question
Matt, which host is that?
Offline
Re: Important Security Question
ixwebhosting
The only reason I haven’t left is I’ve already paid for the next 3 months and I have a credit for the 3 months after that. I know what they are saying is BS and it scares me to think that they don’t know what they are talking about.
Last edited by MattD (2008-04-02 17:12:08)
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline