• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Folder Permissions (Security)

#1
Hi,

My Testforum is up and running great. After all I noticed that the following folders (directories) in XF are set to 777 what means always a security problem. The directories are

/data
/internal_data

Both directories and all sub-directories in them show chmod 777 - Is that ok? I don't think so!

Wouldn't it be better so set the chmod to 770???


Ok the next Question is about the Install folder. Do I have to keep it or can I set it's permission also to 770?

Thank you
 

Jeremy

Well-known member
#2
Hi,

My Testforum is up and running great. After all I noticed that the following folders (directories) in XF are set to 777 what means always a security problem. The directories are

/data
/internal_data

Both directories and all sub-directories in them show chmod 777 - Is that ok? I don't think so!

Wouldn't it be better so set the chmod to 770???


Ok the next Question is about the Install folder. Do I have to keep it or can I set it's permission also to 770?

Thank you
the /data folder is where all uploads are sent from users.
The /internal_data is written to by the install script when you run an upgrade or install.

You need the other to write to said folder.

After you run the installer, it should be fine to remove the install directory.
 
#5
No problem guys I will just chmod it down and that's it ;) Seems like the other folders work with 770 too. At leat on my system.
 

Floren

Well-known member
#7
If I remember correctly there are instructions that some people had to set it at 770. 777 is the recommended.
The recommended mask is 0755, not 0770 or 0777. You are basically opening your server to any hacker when you do this. This is my setting:
Code:
# grep chmod /var/www/html/community/library/config.php
$config['chmodWritableValue'] = 0644;
Changing the permissions to 0755 and 0644 is the safest way. I like to take it a notch higher and block the directories or files from an external access, so someone who is probing stuff will get an error.
 

Floren

Well-known member
#9
The XenForo recommendation is 0777, as per the installation instructions: http://xenforo.com/help/installation/
I understand, I was recommending the proper settings for a directory accessible from external source.
And Mike posted a while ago how easy is to setup the directories with the right mask, using the variable I mentioned before.

This is what I mean by taking the directory and file protection one step further:
https://www.axivo.com/community/library/
https://www.axivo.com/community/library/config.php
 
#10
I understand, I was recommending the proper settings for a directory accessible from external source.
And Mike posted a while ago how easy is to setup the directories with the right mask, using the variable I mentioned before.

This is what I mean by taking the directory and file protection one step further:
https://www.axivo.com/community/library/
https://www.axivo.com/community/library/config.php
What did you change in your configuration to get a Xenforo based 403 error? I'm receiving the default apache2 default 403 error instead.

All other errors seem to handle a proper Xenforo error page except for the 403.
 

Floren

Well-known member
#12
Also, how would you return a 403 error if the directory permissions for /data & /internal_data need 0777 to function?
The /data and /internal_data directories do NOT need to be set to 0777, is not a good idea to open your server like that. Mines are set to 0755. I did not changed anything yet because I'm still waiting for a solution how to display friendly errors in XenForo. So far I addressed only the 404.
 
#13
The /data and /internal_data directories do NOT need to be set to 0777, is not a good idea to open your server like that. Mines are set to 0755. I did not changed anything yet because I'm still waiting for a solution how to display friendly errors in XenForo. So far I addressed only the 404.
I'm unable to set the directories to 0755 recursively. It breaks the entire image upload option. If I only chmod 0755 "data" and "internal_data", no issues.

What I'm more interested in is having someone physically type in the address bar "https://forum.com/data" and recieve the Xenforo 404 error of "The forum data could not be found" instead of the default Apache 404 page.
 

Floren

Well-known member
#14
I'm unable to set the directories to 0755 recursively. It breaks the entire image upload option.
http://xenforo.com/community/threads/php-fpm-configuration-encountered-and-error.79759/#post-803113
What I'm more interested in is having someone physically type in the address bar "https://forum.com/data" and recieve the Xenforo 404 error of "The forum data could not be found" instead of the default Apache 404 page.
No idea how to do this in Apache, I use Nginx.
 
#15
directoryPermissions.PNG

@Floren

Even after changing all the files to 0644 and all directories to 0755, I'm still unable to upload images correctly unless full access is given.

(Permission Denied Failed to open stream)

Not sure on this one. I'm going to start a new thread anyway for 404'ing present directories with Xenforo's error page using Apache2. Thanks for the help!
 

Floren

Well-known member
#16
Probably you did not owned the directory by Apache user (in your case), like I posted on my previous link? Not sure if pooloperator is your actual Apache user.
 
#17
Probably you did not owned the directory by Apache user (in your case), like I posted on my previous link? Not sure if pooloperator is your actual Apache user.
Shouldn't be an issue at all.
Code:
groups pooloperator

pooloperator: pooloperator www-data
Hell, I even just set it all back to root:www-data. Still no go with 0755 on directories and 0644 on files in /data and /internal_data.