Why on earth does the installer/check-script suggest to
chmod 777 anything? - this is inherently insecure! The proper solution would be
chmod 775, at least IMHO. Giving "anybody" write-access is bad!
Just google for '"chmod 777" "considered harmful"' - you'll find stuff like
this email on lists.e-smith.org.
It's been ages since I've had any ftp-only webspace to manage, but the ftp-user is usually the one running the webserver too .. at least on any webhoster worth their salt. I'd much prefer adding a caveat-notice or answering the occasional newbie question to suggesting this catch-all, considering it's catch-22 ;-P
Some webservers have weird configurations, which I believe was the reason for suggesting a 0777 chmod.
If I recall correctly, Matt Rowgowski (Head of support) has requested this change already.
It says 777 because it's not really possible to reliably determine the minimum chmod setting that will work on any given host, other than trial and error.
If someone can hack your site because you chmodded something 777, then it's the webserver that was insecure. 775 is just as bad in this case as it gives world-readable rights and if people can read your files they can read your database passwords, and if they can read that you are hacked either way.
Security depends 99% on how the server is set up and 1% on the chmod settings you choose within your shared hosting environment. The 1% still deserves some attention of course, in that you should't make files/directories writable without reason.
frostschutz, that is why I mentioned the ftp-only webspace thingie; because I was expecting this to be the reason. As I said, it's not what I'd call "sane" - since so many people will blindly do what it says, without even knowing of the potential risks. At least it doesn't keep clamouring for this actual setting as soon as it has determined the directory is writeable for itself ;-P
I can't help but see that legendary "
boy at the dyke" when you say that one vector of attack is more serious than another .. a lot of little holes can leak as much as a big one - and back to the story: if you manage to sneak something into a little hole, you might make a big hole that wasn't there before.
As already said the problem is that we can't be sure of server setups. If we put it to a more secure CHMOD value, there is a significant chance that it wont work on a lot of setups. That generates lots of support threads, which can often mask real issues and security flaws. It's a lesser of two evils.
there really is no efficient way around it.
Okay, thought as much - but just couldn't restrain myself from asking. At least now "chmod 777"-searches (
wishful thinking) should contain this little bit of background-information.
Feel free to close the thread.
Sorry to bring this thread back up, but...
...as a more security conscious admin, how do I best go about determining the safest (read: most restrictive) chmod settings throughout my MyBB installation that will still work under my conditions?
Is there a tutorial on this somewhere?
I know how to use my ftp client of course, and how to change the settings for each file or folder - but how do I figure out what settings to use?
The answer that server setup is much more important, although true, is not good enough for me, I'm afraid (no offense).
Cheers,
Matt
(2012-02-06, 10:55 AM)Mariku Wrote: [ -> ]how do I best go about determining the safest (read: most restrictive) chmod settings throughout my MyBB installation that will still work under my conditions?
read up on chmod / file permissions on wikipedia and understand it (best option)
or use trial and error, going from the most restrictive chmod to the less restrictive ones
for read-only files 4 (read), read-write files 6 (write+read), read-only folders 5 (exec+read), read-write folders 7 (exec+write+read).
then you start with owner only, if that's not enough you add group, and if that's not enough you have to add world, or change the user/group ownership of the file (if possible).
so for
read only files it's 400 (owner read), 440 (owner+group read), 444 (owner+group+world read),
read-write files it's 600 (owner read-write), 660 (owner+group read-write), 666 (owner+group+world read-write),
read-only folders 500 (owner exec read), 550 (owner+group exec read), 555 (owner+group+world exec read),
read-write folders 700 (owner exec read write), 770, 777
pick the first one that works and you have the most restrictive chmod for your setup
Thanks both of you, excellent pointers.
Is there an overview somewhere that lists which of the MyBB files require what permissions to function properly? That would be helpful information for someone who does not know the inner workings of MyBB in detail.
Will definitely get deeper into CHMOD, no doubt.
Cheers,
Matt