XF files, owner, permissions and security

[karll]

In trying to make Chris Deeming's auto-installer add-on work, I've found that the likely problem is that my XF files & folders are owned by me whereas Apache runs as a different user (www-data) and don't have write permission to the library/, js/ etc folders and files inside.

So what is the best solution to this? Would I be compromising security by changing the owner of all XF files & folders to www-data? Or should I just give write permissions to everyone (chmod 0777 on folders, chmod 0666 on files)?

My site is running on a VPS and I have full control over everything.

 

[Deebs]

You see for me this is why I would never allow an auto-installer permissions to write to anywhere where PHP could be executed. It just opens up server security for abuse via different methods. My entire XF structure, apart from data and internal_data, is readonly and owned by root. Nothing can make any changes to the "application" files or create new ones and PHP has been set to be disabled from the data,internal_data directories.

Each server administrator will have their own take on how secure they want their servers to be, mine is above.

 

[shawn]

I'm pretty much in agreement with Deebs. I didn't go so far as to disable PHP execution in the data directories, though.

I have found problems with some add-ons wanting to create files/folders/etc when they install, so some things are set to 775, with the group assignment set to one that the web server shares. However, now that I think about it... maybe I should chmod them all back to 755...

 

[Deebs]

I'm pretty much in agreement with Deebs. I didn't go so far as to disable PHP execution in the data directories, though.

I have found problems with some add-ons wanting to create files/folders/etc when they install, so some things are set to 775, with the group assignment set to one that the web server shares. However, now that I think about it... maybe I should chmod them all back to 755...

I have a little script that once I have deployed any new files into the web structure I run, it secures the tree once again just in case. Actually just checked it, every is 550 apart from data, internal_data which is 750.

 

[Mouth]

I have a little script that once I have deployed any new files into the web structure I run, it secures the tree once again just in case.

Would be great to share that script

 

[karll]

Is there any way you could imagine I could make the auto installer more secure? suPHP has been mentioned ... Is it the fact that it's web based that makes it less secure?

 

[Ghan_04]

I use Litespeed, which has an easy way to implement suPHP, and that eliminates any file ownership issues you might have (with regard to PHP). What I typically do is add the Litespeed user to group of the user who owns the web files, then just do chmod 2770 (2 sets the sticky bit so new directories are created with the group ownership set to the owner of the parent directory) for directories and 660 for files.