File permissions

tonysab

Joined: 2004-11-03
Posts: 44

Posted: Wed, 2008-10-29 15:27

Can somebody please confirm what file permissions should be set at folder and file level within g2data?
Thanks in advance.

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2008-10-29 16:17

Depends on how your server is setup. Does Apache or PHP run as your user account? If so, you can set directories to 700 and files to 600. If not, then g2data should be 777 and then Apache/PHP will create the other directories and files as 755/644 (respectively)

http://codex.gallery2.org/Gallery2:Security
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

tonysab

Joined: 2004-11-03
Posts: 44

Posted: Wed, 2008-10-29 16:39

Thanks, is it a security risk though having g2data as 777, even though it is outside of the web root?

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2008-10-29 18:15

If Apache or PHP don't run as your user account, it's the only way for Gallery to write to that directory. Any file or directory it creates will be set to 644 (files) or 755 (directories) by default and only the webserver user will be able to change them.

It's not a huge risk, but if on a shared server, then depending on how the server is configured, someone malicious could at least read and copy what's there and if the files are owned by the webserver, then again depending how the server is configured, someone could possibly run a script from their site and modify/delete files there.

If Apache or PHP run as your user account then you can secure things pretty tightly:
http://codex.gallery2.org/Gallery2:Security#Learn_the_Basics_about_your_Webserver

http://codex.gallery2.org/Gallery2:Security#Restricting_Read_.26_Write_Access_to_Gallery_2_Files_and_Directories

On my server, PHP can be ran in a php-cgiwrap mode, making it run under your user account. I'm a bit overly paranoid, so on my production site I have the permissions set pretty tight. Absolutely nothing can change any files, even myself, without opening up some permissions. Basically the gallery portion of the site is set in stone until I deliberately make a change. Which makes it a total pain when/if I want to modify anything (like themes, adding plugins, etc) but prevents any script, or even the server itself from modifying any files. Only an exploit that was able to run arbitrary code and change file permissions would be able to make changes.

My g2data and all directories are set to 700, all files are set to 600. g2data is also outside of the webroot.

Here is how I have my gallery install set, which is probably a bigger pain than most want to deal with:

Quote:

# Make sure I can write to them to make changes first in case I've already ran my secure script
# all directories to 701
find . -type d | xargs chmod 701

# all files to 404 (make sure gif, jpg, css, js, etc can be read by the server)
find . -type f | xargs chmod 404

# php files to 400
find . -type f -name "*\.php" | xargs chmod 400

# inc files to 400
find . -type f -name "*\.inc" | xargs chmod 400

# tpl files to 400
find . -type f -name "*\.tpl" | xargs chmod 400

# class files to 400
find . -type f -name "*\.class" | xargs chmod 400

# MANIFEST to 400
find . -type f -name "MANIFEST" | xargs chmod 400

# LICENSE to 400
find . -type f -name "LICENSE" | xargs chmod 400

# README.html to 400
find . -type f -name "README.html" | xargs chmod 400

# all directories to 501
find . -type d | xargs chmod 501

# current directory to 501
chmod 501 ./

# lib/support to 0
# upgrade to 0
# install to 0
chmod 000 upgrade install lib/support

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

tonysab Joined: 2004-11-03 Posts: 44	Posted: Wed, 2008-10-29 15:27
	Can somebody please confirm what file permissions should be set at folder and file level within g2data? Thanks in advance.
	XUser login Username: * Password: * Create new account Request new password
nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2008-10-29 16:17
	Depends on how your server is setup. Does Apache or PHP run as your user account? If so, you can set directories to 700 and files to 600. If not, then g2data should be 777 and then Apache/PHP will create the other directories and files as 755/644 (respectively) http://codex.gallery2.org/Gallery2:Security ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

tonysab Joined: 2004-11-03 Posts: 44	Posted: Wed, 2008-10-29 16:39
	Thanks, is it a security risk though having g2data as 777, even though it is outside of the web root?

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2008-10-29 18:15
	If Apache or PHP don't run as your user account, it's the only way for Gallery to write to that directory. Any file or directory it creates will be set to 644 (files) or 755 (directories) by default and only the webserver user will be able to change them. It's not a huge risk, but if on a shared server, then depending on how the server is configured, someone malicious could at least read and copy what's there and if the files are owned by the webserver, then again depending how the server is configured, someone could possibly run a script from their site and modify/delete files there. If Apache or PHP run as your user account then you can secure things pretty tightly: http://codex.gallery2.org/Gallery2:Security#Learn_the_Basics_about_your_Webserver http://codex.gallery2.org/Gallery2:Security#Restricting_Read_.26_Write_Access_to_Gallery_2_Files_and_Directories On my server, PHP can be ran in a php-cgiwrap mode, making it run under your user account. I'm a bit overly paranoid, so on my production site I have the permissions set pretty tight. Absolutely nothing can change any files, even myself, without opening up some permissions. Basically the gallery portion of the site is set in stone until I deliberately make a change. Which makes it a total pain when/if I want to modify anything (like themes, adding plugins, etc) but prevents any script, or even the server itself from modifying any files. Only an exploit that was able to run arbitrary code and change file permissions would be able to make changes. My g2data and all directories are set to 700, all files are set to 600. g2data is also outside of the webroot. Here is how I have my gallery install set, which is probably a bigger pain than most want to deal with: Quote: # Make sure I can write to them to make changes first in case I've already ran my secure script # all directories to 701 find . -type d \| xargs chmod 701 # all files to 404 (make sure gif, jpg, css, js, etc can be read by the server) find . -type f \| xargs chmod 404 # php files to 400 find . -type f -name "\.php" \| xargs chmod 400 # inc files to 400 find . -type f -name "\.inc" \| xargs chmod 400 # tpl files to 400 find . -type f -name "\.tpl" \| xargs chmod 400 # class files to 400 find . -type f -name "\.class" \| xargs chmod 400 # MANIFEST to 400 find . -type f -name "MANIFEST" \| xargs chmod 400 # LICENSE to 400 find . -type f -name "LICENSE" \| xargs chmod 400 # README.html to 400 find . -type f -name "README.html" \| xargs chmod 400 # all directories to 501 find . -type d \| xargs chmod 501 # current directory to 501 chmod 501 ./ # lib/support to 0 # upgrade to 0 # install to 0 chmod 000 upgrade install lib/support ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

File permissions

XUser login