g2data and chmod 777 - can I change it to 775 or 755?

brianlees

Joined: 2002-08-17
Posts: 51
Posted: Fri, 2005-12-09 15:24

Gallery version (not just "2"):2.0.2
PHP version (e.g. 4.3.11):4.3.11
PHPInfo Link (see FAQ):
Webserver (e.g. Apache 1.3.33):Apache 1.3.33
Database (e.g. MySql 4.0.11): 4.0.22-standard
Activated toolkits (e.g. NetPbm, GD):
Operating system (e.g. Linux):
Browser (e.g. Firefox 1.0):

My website was recently hacked because the permissions of the g2data directory being 777. Do they always have to be 777? Can they be more secure? If so, do I ever need to change them back to 777 for any reason?

Thanks

Brian
 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Fri, 2005-12-09 16:03

on shared webhosting you can't do much if php is run as apache module and not as cgi.
you have to leave the g2data folder writable by the webserver user.
and if the webhost doesn't setup proper open_basedir restrictions or allows also other scripting languages (e.g. perl), you can't prevent other accounts on the same host from deleting / modifying your g2data folder.
it doesn't even need a malicious account owner on this webhost, all it needs is a single, vulnerable script that is installed on this server, and someone could exploit this script and delete / copy data from every account user on this shared webhost.

most webhosts configure the php open_basedir correctly, which is already a reasonable improvement in security if only php scripts are run on this host.

even better webhosts run php as fast-cgi + suexec + chroot jail and then you can make 100% sure that only you and noone else can read/write to your g2data folder / to your config.php .