Inconsistancy in Gallery 1 install instructions: Please explain and/or fix

mattwill

Joined: 2005-12-05
Posts: 13

Posted: Thu, 2005-12-08 22:34

I am up and running with G1.5, but I wanted to point out these inconsistancies to you folks in order to possibly help the next guy....

I was reading the instructions "to a tee" as they say, because being fairly NOT knowledgable about this stuff wanted to make sure i did everything right.

Please note the descrepancy in the screen shot versus what the instructions say to do.
http://codex.gallery2.org/index.php/Gallery1:Installation_on_a_Unix/Linux_Server_with_FTP

The instruction states:
chmod 666 .htaccess YET the screen shot contains a 777
chmod 666 config.php YET the screen shot contains a 777

I went with the 666, thinking they were right and teh screen shot was a minor mistake. I hope i chose correctly.

BTW as i mentioned i am new to this so there could be a perfect explanation for this and its NOT a mistake. But I would be amazed if these havent been pointed out before.

Thanks,
mattwill

ckdake

Joined: 2004-02-18
Posts: 2258

Posted: Thu, 2005-12-08 22:49

Either one is ok. 666 means anyone can read/write where 777 means that anyone can read/write/execute. Either one of these are ok for setting up Gallery and the config wizard should tell you to set the permissions to be tighter at the end. I changed the page to match the images, thanks for pointing this out.

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Thu, 2005-12-08 23:05

Oh wow, never noticed. Thanks

h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

mattdm

Joined: 2005-07-22
Posts: 181

Posted: Mon, 2006-01-23 02:50

Actually, a better way to phrase it would be "neither of these are okay". Files should never be set to mode 666 or to mode 777. The instructions just say to do that because it's easier than explaining the right way, and if you are the only one with access to the server where you're installing gallery, it generally is harmless -- it just increases the risk of your system being hacked.

Unfortunately, exactly the people to whom this advice is directed -- users who don't have a good understanding of Unix security -- are the ones who shouldn't be given bad advice like this.

ckdake

Joined: 2004-02-18
Posts: 2258

Posted: Mon, 2006-01-23 04:40

mattdm: If you can come up with some better documentation on how to set up permissions for Gallery 1 it would be greatly appreciated. Documentation is one of the areas where we lack the most, and with the huge number of different types of web server setups Gallery can be installed on, we have not been able to write documentation that covers it all.

777 is the most effective guaranteed overall way to get things working on different systems regardless of whether apache is running as that user, in a chroot, as a user in a group that is the same as the user, in a group of its own, on a file system with crazy ACL stuff, and if php is mod_php or phpcgi.

mattdm

Joined: 2005-07-22
Posts: 181

Posted: Mon, 2006-01-23 05:00

Prioritizing "getting things working" over "not shooting yourself in the foot" is a mistake. I know it reduces support hassles for you, but it's very frustrating as a sysadmin to have to keep telling people "Ignore the documentation! I know better! Trust me!". The documentation should at least mention that there's a better way.

I know that getting set up quickly is one of the big selling points of Gallery, but the fact is, in order to run it securely, users need to have a slight clue. Encouraging them to set it up insecurely rather than encouraging getting the information required to do it right is the wrong approach.

ckdake

Joined: 2004-02-18
Posts: 2258

Posted: Mon, 2006-01-23 06:23

I really did mean that we would appreciate your help with better documentation. Anyone can sign up for a codex account and edit that page, and if you can fix it and point your users to it, everyone wins. There is a lot for the small team of us to work on and permission settings docs for Gallery 1 (and I agree that they should be better) aren't at the top of the list

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Mon, 2006-01-23 08:03

In a hosted environment, with non cgi/phpsuexec, there is not much we can do about this. If it was, we would...

h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

mattdm

Joined: 2005-07-22
Posts: 181

Posted: Mon, 2006-01-23 13:55

ckdake -- I'll see what I can do.

h0bbel -- any decent hosting provider should provide either that or a supplementary group configuration where you can use 770 or 707. I agree that the docs should explain when 777 might be the only choice (short of convincing the hosting site to provide secure options, oe switching hosting companies, which is honestly what I'd do). But we shouldn't make that the recommended configuration.

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Mon, 2006-01-23 14:12

Well, most of our clients wouldn't like to have to change hosts to be able to run Gallery, or any other PHP app that creates files on the filesystem. Please have a look at how we can improve and better explain the situation in the docs, after all it's a wiki were you can contribute directly.

h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Mon, 2006-01-23 18:32

Or, have a look at http://codex.gallery2.org/index.php/Gallery2:Security

h0bbel - Gallery Team
If you found my help useful, please consider donating to Gallery
http://h0bbel.p0ggel.org

mattwill Joined: 2005-12-05 Posts: 13	Posted: Thu, 2005-12-08 22:34
	I am up and running with G1.5, but I wanted to point out these inconsistancies to you folks in order to possibly help the next guy.... I was reading the instructions "to a tee" as they say, because being fairly NOT knowledgable about this stuff wanted to make sure i did everything right. Please note the descrepancy in the screen shot versus what the instructions say to do. http://codex.gallery2.org/index.php/Gallery1:Installation_on_a_Unix/Linux_Server_with_FTP The instruction states: chmod 666 .htaccess YET the screen shot contains a 777 chmod 666 config.php YET the screen shot contains a 777 I went with the 666, thinking they were right and teh screen shot was a minor mistake. I hope i chose correctly. BTW as i mentioned i am new to this so there could be a perfect explanation for this and its NOT a mistake. But I would be amazed if these havent been pointed out before. Thanks, mattwill
	XUser login Username: * Password: * Create new account Request new password
ckdake Joined: 2004-02-18 Posts: 2258	Posted: Thu, 2005-12-08 22:49
	Either one is ok. 666 means anyone can read/write where 777 means that anyone can read/write/execute. Either one of these are ok for setting up Gallery and the config wizard should tell you to set the permissions to be tighter at the end. I changed the page to match the images, thanks for pointing this out.

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Thu, 2005-12-08 23:05
	Oh wow, never noticed. Thanks h0bbel - Gallery Team If you found my help useful, please consider donating to Gallery http://h0bbel.p0ggel.org

mattdm Joined: 2005-07-22 Posts: 181	Posted: Mon, 2006-01-23 02:50
	Actually, a better way to phrase it would be "neither of these are okay". Files should never be set to mode 666 or to mode 777. The instructions just say to do that because it's easier than explaining the right way, and if you are the only one with access to the server where you're installing gallery, it generally is harmless -- it just increases the risk of your system being hacked. Unfortunately, exactly the people to whom this advice is directed -- users who don't have a good understanding of Unix security -- are the ones who shouldn't be given bad advice like this.

ckdake Joined: 2004-02-18 Posts: 2258	Posted: Mon, 2006-01-23 04:40
	mattdm: If you can come up with some better documentation on how to set up permissions for Gallery 1 it would be greatly appreciated. Documentation is one of the areas where we lack the most, and with the huge number of different types of web server setups Gallery can be installed on, we have not been able to write documentation that covers it all. 777 is the most effective guaranteed overall way to get things working on different systems regardless of whether apache is running as that user, in a chroot, as a user in a group that is the same as the user, in a group of its own, on a file system with crazy ACL stuff, and if php is mod_php or phpcgi.

mattdm Joined: 2005-07-22 Posts: 181	Posted: Mon, 2006-01-23 05:00
	Prioritizing "getting things working" over "not shooting yourself in the foot" is a mistake. I know it reduces support hassles for you, but it's very frustrating as a sysadmin to have to keep telling people "Ignore the documentation! I know better! Trust me!". The documentation should at least mention that there's a better way. I know that getting set up quickly is one of the big selling points of Gallery, but the fact is, in order to run it securely, users need to have a slight clue. Encouraging them to set it up insecurely rather than encouraging getting the information required to do it right is the wrong approach.

ckdake Joined: 2004-02-18 Posts: 2258	Posted: Mon, 2006-01-23 06:23
	I really did mean that we would appreciate your help with better documentation. Anyone can sign up for a codex account and edit that page, and if you can fix it and point your users to it, everyone wins. There is a lot for the small team of us to work on and permission settings docs for Gallery 1 (and I agree that they should be better) aren't at the top of the list

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Mon, 2006-01-23 08:03
	In a hosted environment, with non cgi/phpsuexec, there is not much we can do about this. If it was, we would... h0bbel - Gallery Team If you found my help useful, please consider donating to Gallery http://h0bbel.p0ggel.org

mattdm Joined: 2005-07-22 Posts: 181	Posted: Mon, 2006-01-23 13:55
	ckdake -- I'll see what I can do. h0bbel -- any decent hosting provider should provide either that or a supplementary group configuration where you can use 770 or 707. I agree that the docs should explain when 777 might be the only choice (short of convincing the hosting site to provide secure options, oe switching hosting companies, which is honestly what I'd do). But we shouldn't make that the recommended configuration.

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Mon, 2006-01-23 14:12
	Well, most of our clients wouldn't like to have to change hosts to be able to run Gallery, or any other PHP app that creates files on the filesystem. Please have a look at how we can improve and better explain the situation in the docs, after all it's a wiki were you can contribute directly. h0bbel - Gallery Team If you found my help useful, please consider donating to Gallery http://h0bbel.p0ggel.org

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Mon, 2006-01-23 18:32
	Or, have a look at http://codex.gallery2.org/index.php/Gallery2:Security h0bbel - Gallery Team If you found my help useful, please consider donating to Gallery http://h0bbel.p0ggel.org

Inconsistancy in Gallery 1 install instructions: Please explain and/or fix

XUser login