17487 Posts in 4473 Topics by 1978 members
Page: 1 2
|Go to End||Next >|
3 October 2007 at 11:17am
I'm going to install SS 2.1 but I have a couple of questions with the apache write access to the .htaccess and the /tutorial /mysite and /assets. Basically in order to install it I had to chmod 777 otherwise it won't pass the test...
my question is.. isn't it a security risk to have your .htaccess file writeable by everyone? - and also the subsequent folders too.
Core Development Team
3 October 2007 at 11:23am
No, because once you have installed it, you should turn OFF write access to all but the /assets/ folder
Also realise its just write access for the webserver, not write access to all users on the machine, which you are after
4 October 2007 at 6:27am
Sigurd: I understand we should be giving write access to the webserver not all users. I read the details on the install successful page.
But for instance sake - imagine a user downloaded SilverStripe, he/she wants to upload it onto a webserver. The only access he/she has is via FTP, when he/she uploads everything into the hosting account, the default owner is the FTP user - not the webserver. The only way to give write access then to the webserver is to give write access to everyone.
Am I right or have I missed something out?
Also - I believe the only way to make sure the owner of the file in a Linux/Apache environment when assuming that the user will not have any other means to set file permissions other than FTP - is to create the file/directory using a php script.
4 October 2007 at 6:42am Last edited: 4 October 2007 6:42am
That's right. I can only make it work chmodding to 777
Core Development Team
4 October 2007 at 7:20am
Sure. So trying to clarify your problem then, does that mean you're concerned that you temporarily need 777 rights to few places during the few minutes you install SilverStripe?
knowing that once installed, you can set the permissions to 644 (rw-r--r--) or even 444 (r--r--r--) of .htaccess, tutorial, and mysite folders?
4 October 2007 at 7:24am
No, I believe it's quite ok.
From the few things I remember from typo3 I believe there were quite some more folders that had to be 777 all the time in order to work.
4 October 2007 at 10:04am
My concern is for new users who do not have any ideas . - they probably won't even chmod their files back, just trying to point out that there should be a better practice to install the CMS so that it is fool proof. (as much as possible)
4 October 2007 at 2:27pm
This is an interesting topic I have been looking at myself recently. While I agree with your best practice comments siulun, I would also suggest that the problem is not with SS itself - but with the lack of knowledge of some of its users.
Now, as to whether SS can do something to help new users out - even if that be a tutorial on hardening a SS installation - I'm sure they could. But I don't think it is necessarily their responsibility to look after users who don't know what they're doing.
FYI, I think it would be a GREAT help whatever you can do to help clueless site owners - because lets face it, most security problems stem from people who don't properly implement the security measures that already exist.
Page: 1 2
|Go to Top||Next >|