XF files, owner, permissions and security

karll

karll

Well-known member
In trying to make Chris Deeming's auto-installer add-on work, I've found that the likely problem is that my XF files & folders are owned by me whereas Apache runs as a different user (www-data) and don't have write permission to the library/, js/ etc folders and files inside.

So what is the best solution to this? Would I be compromising security by changing the owner of all XF files & folders to www-data? Or should I just give write permissions to everyone (chmod 0777 on folders, chmod 0666 on files)?

My site is running on a VPS and I have full control over everything.
 
You see for me this is why I would never allow an auto-installer permissions to write to anywhere where PHP could be executed. It just opens up server security for abuse via different methods. My entire XF structure, apart from data and internal_data, is readonly and owned by root. Nothing can make any changes to the "application" files or create new ones and PHP has been set to be disabled from the data,internal_data directories.

Each server administrator will have their own take on how secure they want their servers to be, mine is above.
 
I'm pretty much in agreement with Deebs. I didn't go so far as to disable PHP execution in the data directories, though.

I have found problems with some add-ons wanting to create files/folders/etc when they install, so some things are set to 775, with the group assignment set to one that the web server shares. However, now that I think about it... maybe I should chmod them all back to 755...
 
shawn said:
I'm pretty much in agreement with Deebs. I didn't go so far as to disable PHP execution in the data directories, though.

I have found problems with some add-ons wanting to create files/folders/etc when they install, so some things are set to 775, with the group assignment set to one that the web server shares. However, now that I think about it... maybe I should chmod them all back to 755...
Click to expand...
I have a little script that once I have deployed any new files into the web structure I run, it secures the tree once again just in case. Actually just checked it, every is 550 apart from data, internal_data which is 750.
 
Is there any way you could imagine I could make the auto installer more secure? suPHP has been mentioned ... Is it the fact that it's web based that makes it less secure?
 
I use Litespeed, which has an easy way to implement suPHP, and that eliminates any file ownership issues you might have (with regard to PHP). What I typically do is add the Litespeed user to group of the user who owns the web files, then just do chmod 2770 (2 sets the sticky bit so new directories are created with the group ownership set to the owner of the parent directory) for directories and 660 for files.
 
You must log in or register to reply here.

Similar threads

Ferry
  • Solved
XF 2.2 Not importing attachments when migrating from XF to XF
Replies
6
Views
478
Ferry
Ferry
Potyh
  • Locked
Not a bug Add-ons install problem
Replies
0
Views
514
Potyh
Potyh
N
  • Question Question
XF 2.2 XF\Db\Exception: MySQL query error [1048]: Column 'ip_id' cannot be null in src/XF/Db/AbstractStatement.php at line 230
Replies
2
Views
193
nathanw
N
CtrlV
  • Question Question
XF 2.2 paths must be writable: js, src/addons, styles, src/XF/Repository/AddOn.php.
Replies
12
Views
858
CtrlV
CtrlV
Frode789
  • Suggestion Suggestion
Speed optimization/improvements in core XF
Replies
1
Views
1K
nodle
nodle
Top Bottom