1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Folder Permissions (Security)

Discussion in 'Server Configuration and Hosting' started by rotpar, Apr 24, 2013.

  1. rotpar

    rotpar Member

    Hi,

    My Testforum is up and running great. After all I noticed that the following folders (directories) in XF are set to 777 what means always a security problem. The directories are

    /data
    /internal_data

    Both directories and all sub-directories in them show chmod 777 - Is that ok? I don't think so!

    Wouldn't it be better so set the chmod to 770???


    Ok the next Question is about the Install folder. Do I have to keep it or can I set it's permission also to 770?

    Thank you
     
  2. Jeremy

    Jeremy XenForo Moderator Staff Member

    the /data folder is where all uploads are sent from users.
    The /internal_data is written to by the install script when you run an upgrade or install.

    You need the other to write to said folder.

    After you run the installer, it should be fine to remove the install directory.
     
  3. Andrej

    Andrej Well-Known Member

    You don't need to do that.
     
  4. Jeremy

    Jeremy XenForo Moderator Staff Member

    I didn't say he needed to, but that he could. (y) Deleting for some people can be a psychological safety mechanism.
     
    Lycaon, Andrej and 14DH01 like this.
  5. rotpar

    rotpar Member

    No problem guys I will just chmod it down and that's it ;) Seems like the other folders work with 770 too. At leat on my system.
     
  6. Tracy Perry

    Tracy Perry Well-Known Member

    If I remember correctly there are instructions that some people had to set it at 770. 777 is the recommended.
     
    rotpar likes this.
  7. Floren

    Floren Well-Known Member

    The recommended mask is 0755, not 0770 or 0777. You are basically opening your server to any hacker when you do this. This is my setting:
    Code:
    # grep chmod /var/www/html/community/library/config.php
    $config['chmodWritableValue'] = 0644;
    Changing the permissions to 0755 and 0644 is the safest way. I like to take it a notch higher and block the directories or files from an external access, so someone who is probing stuff will get an error.
     
  8. Brogan

    Brogan XenForo Moderator Staff Member

  9. Floren

    Floren Well-Known Member

    I understand, I was recommending the proper settings for a directory accessible from external source.
    And Mike posted a while ago how easy is to setup the directories with the right mask, using the variable I mentioned before.

    This is what I mean by taking the directory and file protection one step further:
    https://www.axivo.com/community/library/
    https://www.axivo.com/community/library/config.php
     
  10. What did you change in your configuration to get a Xenforo based 403 error? I'm receiving the default apache2 default 403 error instead.

    All other errors seem to handle a proper Xenforo error page except for the 403.
     
  11. Also, how would you return a 403 error if the directory permissions for /data & /internal_data need 0777 to function?
     
  12. Floren

    Floren Well-Known Member

    The /data and /internal_data directories do NOT need to be set to 0777, is not a good idea to open your server like that. Mines are set to 0755. I did not changed anything yet because I'm still waiting for a solution how to display friendly errors in XenForo. So far I addressed only the 404.
     
  13. I'm unable to set the directories to 0755 recursively. It breaks the entire image upload option. If I only chmod 0755 "data" and "internal_data", no issues.

    What I'm more interested in is having someone physically type in the address bar "https://forum.com/data" and recieve the Xenforo 404 error of "The forum data could not be found" instead of the default Apache 404 page.
     
  14. Floren

    Floren Well-Known Member

    http://xenforo.com/community/threads/php-fpm-configuration-encountered-and-error.79759/#post-803113
    No idea how to do this in Apache, I use Nginx.
     
  15. directoryPermissions.PNG

    @Floren

    Even after changing all the files to 0644 and all directories to 0755, I'm still unable to upload images correctly unless full access is given.

    (Permission Denied Failed to open stream)

    Not sure on this one. I'm going to start a new thread anyway for 404'ing present directories with Xenforo's error page using Apache2. Thanks for the help!
     
  16. Floren

    Floren Well-Known Member

    Probably you did not owned the directory by Apache user (in your case), like I posted on my previous link? Not sure if pooloperator is your actual Apache user.
     
  17. Shouldn't be an issue at all.
    Code:
    groups pooloperator
    
    pooloperator: pooloperator www-data 
    Hell, I even just set it all back to root:www-data. Still no go with 0755 on directories and 0644 on files in /data and /internal_data.
     
  18. n/m got it.

    Set root directory in this case "Server" back to www-data:www-data recursively. Problem is resolved.
     

Share This Page