I would like to use the one of the Add-on Install & Upgrade tools (either the one by @Chris Deeming or the one by @Waindigo), but, wanting to run a secure server, I am concerned about giving write permissions too liberally. Basically, these addons can save you a lot of time but require you to give 777 permissions to most or all of your xenForo folder.
I had an idea for a workaround that would make me feel considerably more comfortable. I'd love to hear people's thoughts on whether it is feasible.
The idea is related to an idea put forth by @HittingSmoke :
Basically, right before you install or upgrade an addon using the tool, you chmod -R 777 XenforoRootDirectory/ and then, after you are done, you chmod -R 755 it again (assuming you are, in general, comfortable with 755).
My approach is similar but involves less recursive chmodding. Basically, you run the following commands ONCE:
# creates a new group called addon. Because it is new, no one belongs to it. groupadd addon # gives the entire xenForo directory to this empty group chgrp -R addon xenForoRootDirectory # gives the owning group full permissions chmod -R g=rwx xenForoRootDirectory/
Then, when you want to install or upgrade addons you run:
# adds HTTPD to the empty addon group. usermod -a -G addon HTTPD
When you are done, just remove HTTPD from the addon group. This removes all special permissions.
I like the idea because not matter what you do, you're pretty much going to have to give write permission to HTTPD. If any of the scripts you run has a security flaw in them, then a hacker would be able to rewrite anything in your xenForo root folder. Maybe I have a stick up my butt, but I would hesitate to give HTTPD those sort of write permissions for years at a time. But for 2 minutes at a time? This feels safer to me. Yes, I know it's not secure. But it seems a lot better than 777. And I can't think of a better way to run these addons, which seem quite helpful.
I'm posting this here because it seems more likely to get a response from people interested in server configuration. Plus, it seems equally relevant to the two installer addons, so I wouldn't know where to put it anyway.