Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2010-05-30 18:35:25
- fjdekermadec
- New Member
- From: Paris, France
- Registered: 2010-05-30
- Posts: 7
Is it best to suEXEC or 705?
Hello all,
I am toying today with a new host for Textpattern, and they so far appear to provide everything one could hope for, including a security-conscious server setup.
However, because all web files are served by the same “nobody” user on the server, it requires me to set up permissions on my Textpattern installation to 705. This way, no other customer on the server can touch the files (we all belong to a users group) and the server can access and serve all files, be they HTML, PHP, etc.
However, Textpattern requires, as you know, write access to the “Files” and “Images” directory. In the above setup, the only solution appears to be to set permissions on these directories to 707 — a big no, no. It’s not 777 and local users are still kept out, but they could conceivably run a script on the server that accessed these directories thanks to the third “7.”
Pair also offers wrapping the entire account in suEXEC so that I could theoretically run everything as my own user, thereby alleviating the need for setting 707 permissions but increasing the risk that a hacked Textpattern install could compromise my entire user space on the server, including other TxP files.
Has anyone faced the same dilemma?
— FJ
Offline
Re: Is it best to suEXEC or 705?
If you are security-conscious (and you should be), then I would recommend either:
1) A dedicated server or VPS, where you can fully control file permissions, as well as just about everything else on your server.
or
2) A shared host running PHP as FAST-CGI, so that PHP (and therefore Textpattern) runs under your user id.
Offline
#3 2010-05-31 00:41:55
- fjdekermadec
- New Member
- From: Paris, France
- Registered: 2010-05-30
- Posts: 7
Re: Is it best to suEXEC or 705?
Hello artagesw,
Thanks for your insights!
A shared host running PHP as FAST-CGI, so that PHP (and therefore Textpattern) runs under your user id.
Would suEXEC, which Pair offers, be an acceptable solution in this instance? It seems they do not offer FastCGI.
Well and truly noted for the dedicated server of VPS, which is next on list of things to investigate. Alas, not all clients feel like splurging for and maintaining a machine, be it virtual or not, but it is definitely the way to go for ultimate peace of mind.
Offline
Re: Is it best to suEXEC or 705?
fjdekermadec wrote:
Would suEXEC, which Pair offers, be an acceptable solution in this instance? It seems they do not offer FastCGI.
Yes, if configured properly. I’m not a fan of suEXEC because it can be quite complicated to get right. And complexity is not a friend to security.
Offline
#5 2010-05-31 06:48:56
- fjdekermadec
- New Member
- From: Paris, France
- Registered: 2010-05-30
- Posts: 7
Re: Is it best to suEXEC or 705?
Yes, if configured properly. I’m not a fan of suEXEC because it can be quite complicated to get right. And complexity is not a friend to security.
Thanks! Yes, I definitely agree suEXEC is no piece of cake to set up…
Offline
Re: Is it best to suEXEC or 705?
SuExec or SuPHP is not more complicated than fast-CGI, just slower (although you won’t notice until you run a high-traffic website). I have used suPHP / suExec for years (and still do).
Offline
Pages: 1