I'm going to install SS 2.1 but I have a couple of questions with the apache write access to the .htaccess and the /tutorial /mysite and /assets. Basically in order to install it I had to chmod 777 otherwise it won't pass the test...
my question is.. isn't it a security risk to have your .htaccess file writeable by everyone? - and also the subsequent folders too.
Sigurd: I understand we should be giving write access to the webserver not all users. I read the details on the install successful page.
But for instance sake - imagine a user downloaded SilverStripe, he/she wants to upload it onto a webserver. The only access he/she has is via FTP, when he/she uploads everything into the hosting account, the default owner is the FTP user - not the webserver. The only way to give write access then to the webserver is to give write access to everyone.
Am I right or have I missed something out?
Also - I believe the only way to make sure the owner of the file in a Linux/Apache environment when assuming that the user will not have any other means to set file permissions other than FTP - is to create the file/directory using a php script.
My concern is for new users who do not have any ideas :). - they probably won't even chmod their files back, just trying to point out that there should be a better practice to install the CMS so that it is fool proof. (as much as possible)
This is an interesting topic I have been looking at myself recently. While I agree with your best practice comments siulun, I would also suggest that the problem is not with SS itself - but with the lack of knowledge of some of its users.
Now, as to whether SS can do something to help new users out - even if that be a tutorial on hardening a SS installation - I'm sure they could. But I don't think it is necessarily their responsibility to look after users who don't know what they're doing.
FYI, I think it would be a GREAT help whatever you can do to help clueless site owners - because lets face it, most security problems stem from people who don't properly implement the security measures that already exist.