Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Write access


Go to End
Reply


10 Posts   4327 Views

Avatar
siulun

14 Posts

3 October 2007 at 11:17am

Hi,

I'm going to install SS 2.1 but I have a couple of questions with the apache write access to the .htaccess and the /tutorial /mysite and /assets. Basically in order to install it I had to chmod 777 otherwise it won't pass the test...

my question is.. isn't it a security risk to have your .htaccess file writeable by everyone? - and also the subsequent folders too.

Avatar
Sigurd

Forum Moderator, 628 Posts

3 October 2007 at 11:23am

No, because once you have installed it, you should turn OFF write access to all but the /assets/ folder :)

Also realise its just write access for the webserver, not write access to all users on the machine, which you are after

Avatar
siulun

14 Posts

4 October 2007 at 6:27am

Sigurd: I understand we should be giving write access to the webserver not all users. I read the details on the install successful page.

But for instance sake - imagine a user downloaded SilverStripe, he/she wants to upload it onto a webserver. The only access he/she has is via FTP, when he/she uploads everything into the hosting account, the default owner is the FTP user - not the webserver. The only way to give write access then to the webserver is to give write access to everyone.

Am I right or have I missed something out?

Also - I believe the only way to make sure the owner of the file in a Linux/Apache environment when assuming that the user will not have any other means to set file permissions other than FTP - is to create the file/directory using a php script.

Regards

Avatar
dio5

Community Member, 501 Posts

4 October 2007 at 6:42am

Edited: 04/10/2007 6:42am

That's right. I can only make it work chmodding to 777 :-)

Avatar
Sigurd

Forum Moderator, 628 Posts

4 October 2007 at 7:20am

Sure. So trying to clarify your problem then, does that mean you're concerned that you temporarily need 777 rights to few places during the few minutes you install SilverStripe?

knowing that once installed, you can set the permissions to 644 (rw-r--r--) or even 444 (r--r--r--) of .htaccess, tutorial, and mysite folders?

Avatar
dio5

Community Member, 501 Posts

4 October 2007 at 7:24am

No, I believe it's quite ok.
From the few things I remember from typo3 I believe there were quite some more folders that had to be 777 all the time in order to work.

Avatar
siulun

14 Posts

4 October 2007 at 10:04am

My concern is for new users who do not have any ideas :). - they probably won't even chmod their files back, just trying to point out that there should be a better practice to install the CMS so that it is fool proof. (as much as possible)

Regards.

Avatar
DesignCity

38 Posts

4 October 2007 at 2:27pm

This is an interesting topic I have been looking at myself recently. While I agree with your best practice comments siulun, I would also suggest that the problem is not with SS itself - but with the lack of knowledge of some of its users.

Now, as to whether SS can do something to help new users out - even if that be a tutorial on hardening a SS installation - I'm sure they could. But I don't think it is necessarily their responsibility to look after users who don't know what they're doing.

FYI, I think it would be a GREAT help whatever you can do to help clueless site owners - because lets face it, most security problems stem from people who don't properly implement the security measures that already exist.

Go to Top