Inconsistancy in Gallery 1 install instructions: Please explain and/or fix

mattwill

Joined: 2005-12-05
Posts: 13
Posted: Thu, 2005-12-08 22:34

I am up and running with G1.5, but I wanted to point out these inconsistancies to you folks in order to possibly help the next guy....

I was reading the instructions "to a tee" as they say, because being fairly NOT knowledgable about this stuff wanted to make sure i did everything right.

Please note the descrepancy in the screen shot versus what the instructions say to do.
http://codex.gallery2.org/index.php/Gallery1:Installation_on_a_Unix/Linux_Server_with_FTP

The instruction states:
chmod 666 .htaccess YET the screen shot contains a 777
chmod 666 config.php YET the screen shot contains a 777

I went with the 666, thinking they were right and teh screen shot was a minor mistake. I hope i chose correctly.

BTW as i mentioned i am new to this so there could be a perfect explanation for this and its NOT a mistake. But I would be amazed if these havent been pointed out before.

Thanks,
mattwill

 
ckdake
ckdake's picture

Joined: 2004-02-18
Posts: 2258
Posted: Thu, 2005-12-08 22:49

Either one is ok. 666 means anyone can read/write where 777 means that anyone can read/write/execute. Either one of these are ok for setting up Gallery and the config wizard should tell you to set the permissions to be tighter at the end. I changed the page to match the images, thanks for pointing this out.

 
h0bbel
h0bbel's picture

Joined: 2002-07-28
Posts: 13451
Posted: Thu, 2005-12-08 23:05

Oh wow, never noticed. Thanks :)


h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

 
mattdm

Joined: 2005-07-22
Posts: 181
Posted: Mon, 2006-01-23 02:50

Actually, a better way to phrase it would be "neither of these are okay". Files should never be set to mode 666 or to mode 777. The instructions just say to do that because it's easier than explaining the right way, and if you are the only one with access to the server where you're installing gallery, it generally is harmless -- it just increases the risk of your system being hacked.

Unfortunately, exactly the people to whom this advice is directed -- users who don't have a good understanding of Unix security -- are the ones who shouldn't be given bad advice like this. :(

 
ckdake
ckdake's picture

Joined: 2004-02-18
Posts: 2258
Posted: Mon, 2006-01-23 04:40

mattdm: If you can come up with some better documentation on how to set up permissions for Gallery 1 it would be greatly appreciated. Documentation is one of the areas where we lack the most, and with the huge number of different types of web server setups Gallery can be installed on, we have not been able to write documentation that covers it all.

777 is the most effective guaranteed overall way to get things working on different systems regardless of whether apache is running as that user, in a chroot, as a user in a group that is the same as the user, in a group of its own, on a file system with crazy ACL stuff, and if php is mod_php or phpcgi.

 
mattdm

Joined: 2005-07-22
Posts: 181
Posted: Mon, 2006-01-23 05:00

Prioritizing "getting things working" over "not shooting yourself in the foot" is a mistake. I know it reduces support hassles for you, but it's very frustrating as a sysadmin to have to keep telling people "Ignore the documentation! I know better! Trust me!". The documentation should at least mention that there's a better way.

I know that getting set up quickly is one of the big selling points of Gallery, but the fact is, in order to run it securely, users need to have a slight clue. Encouraging them to set it up insecurely rather than encouraging getting the information required to do it right is the wrong approach.

 
ckdake
ckdake's picture

Joined: 2004-02-18
Posts: 2258
Posted: Mon, 2006-01-23 06:23

I really did mean that we would appreciate your help with better documentation. Anyone can sign up for a codex account and edit that page, and if you can fix it and point your users to it, everyone wins. There is a lot for the small team of us to work on and permission settings docs for Gallery 1 (and I agree that they should be better) aren't at the top of the list

 
h0bbel
h0bbel's picture

Joined: 2002-07-28
Posts: 13451
Posted: Mon, 2006-01-23 08:03

In a hosted environment, with non cgi/phpsuexec, there is not much we can do about this. If it was, we would...


h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

 
mattdm

Joined: 2005-07-22
Posts: 181
Posted: Mon, 2006-01-23 13:55

ckdake -- I'll see what I can do.

h0bbel -- any decent hosting provider should provide either that or a supplementary group configuration where you can use 770 or 707. I agree that the docs should explain when 777 might be the only choice (short of convincing the hosting site to provide secure options, oe switching hosting companies, which is honestly what I'd do). But we shouldn't make that the recommended configuration.

 
h0bbel
h0bbel's picture

Joined: 2002-07-28
Posts: 13451
Posted: Mon, 2006-01-23 14:12

Well, most of our clients wouldn't like to have to change hosts to be able to run Gallery, or any other PHP app that creates files on the filesystem. Please have a look at how we can improve and better explain the situation in the docs, after all it's a wiki were you can contribute directly.


h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

 
h0bbel
h0bbel's picture

Joined: 2002-07-28
Posts: 13451
Posted: Mon, 2006-01-23 18:32

Or, have a look at http://codex.gallery2.org/index.php/Gallery2:Security


h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org