Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » Write access

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1 2
Go to End
Author Topic: 4202 Views
  • siulun
    Avatar
    14 Posts

    Write access Link to this post

    Hi,

    I'm going to install SS 2.1 but I have a couple of questions with the apache write access to the .htaccess and the /tutorial /mysite and /assets. Basically in order to install it I had to chmod 777 otherwise it won't pass the test...

    my question is.. isn't it a security risk to have your .htaccess file writeable by everyone? - and also the subsequent folders too.

  • Sigurd
    Avatar
    Forum Moderator
    628 Posts

    Re: Write access Link to this post

    No, because once you have installed it, you should turn OFF write access to all but the /assets/ folder

    Also realise its just write access for the webserver, not write access to all users on the machine, which you are after

  • siulun
    Avatar
    14 Posts

    Re: Write access Link to this post

    Sigurd: I understand we should be giving write access to the webserver not all users. I read the details on the install successful page.

    But for instance sake - imagine a user downloaded SilverStripe, he/she wants to upload it onto a webserver. The only access he/she has is via FTP, when he/she uploads everything into the hosting account, the default owner is the FTP user - not the webserver. The only way to give write access then to the webserver is to give write access to everyone.

    Am I right or have I missed something out?

    Also - I believe the only way to make sure the owner of the file in a Linux/Apache environment when assuming that the user will not have any other means to set file permissions other than FTP - is to create the file/directory using a php script.

    Regards

  • dio5
    Avatar
    Community Member
    501 Posts

    Re: Write access Link to this post

    That's right. I can only make it work chmodding to 777

  • Sigurd
    Avatar
    Forum Moderator
    628 Posts

    Re: Write access Link to this post

    Sure. So trying to clarify your problem then, does that mean you're concerned that you temporarily need 777 rights to few places during the few minutes you install SilverStripe?

    knowing that once installed, you can set the permissions to 644 (rw-r--r--) or even 444 (r--r--r--) of .htaccess, tutorial, and mysite folders?

  • dio5
    Avatar
    Community Member
    501 Posts

    Re: Write access Link to this post

    No, I believe it's quite ok.
    From the few things I remember from typo3 I believe there were quite some more folders that had to be 777 all the time in order to work.

  • siulun
    Avatar
    14 Posts

    Re: Write access Link to this post

    My concern is for new users who do not have any ideas . - they probably won't even chmod their files back, just trying to point out that there should be a better practice to install the CMS so that it is fool proof. (as much as possible)

    Regards.

  • DesignCity
    Avatar
    38 Posts

    Re: Write access Link to this post

    This is an interesting topic I have been looking at myself recently. While I agree with your best practice comments siulun, I would also suggest that the problem is not with SS itself - but with the lack of knowledge of some of its users.

    Now, as to whether SS can do something to help new users out - even if that be a tutorial on hardening a SS installation - I'm sure they could. But I don't think it is necessarily their responsibility to look after users who don't know what they're doing.

    FYI, I think it would be a GREAT help whatever you can do to help clueless site owners - because lets face it, most security problems stem from people who don't properly implement the security measures that already exist.

    4202 Views
Page: 1 2
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.