I just installed this forum, and am still finding my way around. My biggest problem is, the permissions, that are set to 777. It leaves everything wide open. Its only been about an hour, and my host has already contacted me, saying you need to do something with these permissions. Is there another permission I can use, that wont be so unsafe, and that will allow the forum to work? Thank you.
droopal
You can try 757 or 775 if they work, but if your server requires 777 for uploads to work, that's what it'll need... we say to use 777 as that will work for everybody.
(2010-08-04, 11:24 AM)MattRogowski Wrote: [ -> ]You can try 757 or 775 if they work, but if your server requires 777 for uploads to work, that's what it'll need... we say to use 777 as that will work for everybody.
Isnt that leaving everybody open to attack though. This is the first Forum software I know of that requires 777 to be used. How do you stop from getting attacked.
I just tried to change it to 775, but in the Admin CP it shows a warning to revert back to 777. This is kind of worrying to me.
I wasn't under the impression we handle uploads in a weird and wonderful way that requires excessive CHMODs. Wordpress requires 777 on some folders on my server to be able to edit templates and CSS via the ACP, nothing else will work. I've looked on the phpBB and SMF sites and people say to use 777 in various places there too. There are a lot of people who find they can't upload things if the uploads folder is CHMOD to 755, it needs to be 777. The cache folder often gives 403 errors if it's CHMOD to 755 and that simply contains CSS files, we don't do anything special there. It says to use 777 as that will work for everybody, if a lower setting works on your server, use that. One one server I use I have to use 777 for it to work, for MyBB and other things, on another server I can have everything set lower.
Oh, well something to think about, as already mentioned my host contacted me to ask about the permissions setting, why they were all set at 777. Unfortunately, I have now been given a warning to state that if things havent changed, and I cannot guarantee the security of the forum, they might remove it themselves.
What guaruntees do you have these forums are safe to use with such unsafe permissions?
Then the problem just isnt about permissions, its about ownership.No permissions should be set to 777 continuously, it leaves website wide open. I have all my permissions set to 755 and 644 on WP, with ownership set to www-data:www-data and dont have any problems at all. Also, do you have mod-re-write set set to on or off? I had major problems with a previous host because it was set to off, and the server I was on got hacked so did hundreds of websites, which is why I am so worried about permissions and stuff, and so is this host.
(2010-08-04, 12:26 PM)droopal Wrote: [ -> ]What guaruntees do you have these forums are safe to use with such unsafe permissions?
What guarantees can you make about the millions of WordPress blogs that have CHMODs of 777??
Also, to your point about no other forums saying to use 777...
http://www.phpbb.com/kb/article/phpbb3-c...rmissions/
"There are some exceptions when it comes to directory permissions, The files directory - 777, The cache directory - 777, The store directory - 777, The images/avatars/upload directory - 777"
http://docs.simplemachines.org/index.php...sg10#msg10
"making your files writable by using the CHMOD function of your FTP program, setting the files that need to be writable to 777"
also:
http://www.simplemachines.org/community/...pic=2987.0
Even if something is set to 777, a hacker still needs a method to put something there, which there isn't.
I don't believe we do anything with file ownership, and mod_rewrite is changing URLs, I don't know how that's linked...
Actually, I have mine set to 755 for all those you mentioned and I dont have a problem with my wp set to that. So I am not quite sure about those. mod-re-write has been causing problems with security, and its also been causing problems with errors to.
(2010-08-04, 11:58 AM)droopal Wrote: [ -> ]What guaruntees do you have these forums are safe to use with such unsafe permissions?
Sorry, I can't understand, why you think chmod 0777 is unsafe (for some files).
Much more important is the security on application layer (in this case MyBB).
There are some files, wich must be writable for the webserver (php, MyBB).
So you have to use chmod 0755 or chmod 0777 (depends on server settings).
And finaly chmod 0755 does not mean that it's safer than chmod 0777.
It just mean, that the webserver user/group is the same as the ftp user/group.
As far as phpp3 is concerned, its considered one of the worst forums when it comes to security, so I am not really sure using that as an example is useful. I wouldnt touch it, which is why I was looking for another similar, and easier to use. I know too many people who have been hacked using that software. They even have hack to get back into your forums, if its been hacked.
I could get away with it, if wanted to be safe, by setting ownership to the web, www-data:www-data so it is viewed only on the web, that way it would be safer, but it is still a security problem.
(2010-08-04, 12:50 PM)droopal Wrote: [ -> ]Actually, I have mine set to 755 for all those you mentioned and I dont have a problem with my wp set to that. So I am not quite sure about those. mod-re-write has been causing problems with security, and its also been causing problems with errors to.
Exactly what I've already said, some servers can have it set to that, some can't. What do you propose the people who need it to be on 777 do, just not use those features?? As for mod_rewrite, I still don't see how that can pose a security issue here but you don't have to use that if you can't want to.
(2010-08-04, 12:54 PM)droopal Wrote: [ -> ]As far as phpp3 is concerned, its considered one of the worst forums when it comes to security, so I am not really sure using that as an example is useful.
You're the one who said you'd never seen any other forum say to use 777, I was simply disproving that.
As I said above, a hacker still needs a way to be able to use a 777 permission against you; having it set to 777 doesn't in itself mean you're going to be hacked. Someone still needs access to your server/file system to be able to do anything.