File Permission Issues

JeremyT

Joined: 2010-10-25
Posts: 5

Posted: Mon, 2010-10-25 23:23

Following the Security Article as seen here: http://codex.gallery2.org/Gallery2:Security#How_to_Configure_a_Secure_Webserver

I've got a dedicated server that's using Fast-CGI instead of mod_php. Scripts are run under specific accounts.

I follow everything under "c) PHP as cgi and scripts run under your user" and have no issue.

But when I continue on to the "Restricting the Rights of the Webserver User", everything breaks when I perform "Read+Execute for gallery2 folder and its subfolders" by chmod -R 500 (read+execute). At that point, I'm given a 403 Forbidden error when trying to access my gallery.

I've made sure that the user running the scripts has file ownership (chown -R) for the directories. It only works if I chmod -R 555 the gallery directory.

Second issue:
According to the following article: http://codex.gallery2.org/Gallery2:Security#How_to_Configure_a_Secure_Webserver

Under: Restricting Read & Write Access to Gallery 2 Files and Directories
and c) PHP as cgi and scripts run under your user

It states: "Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...). "

This is inconsistent with a statement under Restricting the Rights of the Webserver User that states:
"Read+Write for all files in g2data and the files in its subfolders"

In the first statement, it clearly states "also for all subfolder, files,...) while the later goes on to re-do the permissions?

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Mon, 2010-10-25 23:35

If you're setting g2data to 500 yeah, that'll break everything. The webserver needs to write to that directory and all files and sub-directories. That should be 700.

There is nothing in that doc that states setting anything to 500.

400 for config.php
600 for other files
700 for directories

And still depending on how your server is configured, some files, like css, js, png, gif, jpg, etc may still need to be set to 644. For example on my shared host I have php running as a cgi and under my user via php-cgiwrap. However, that only works for php files All other files that are still served by Apache still need to be readable by the Apache user.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

JeremyT

Joined: 2010-10-25
Posts: 5

Posted: Mon, 2010-10-25 23:51

Hello, I'm still learning!

But when it states the following under Restricting the Rights of the Webserver User
"Read+Execute for gallery2 folder and its subfolders" - is that not chmod -R 500? 500 is read+execute? That's where I got the 500 from.

Just above that under c) PHP as cgi and scripts run under your user it does state:
"Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...). "

Is this not a bit contrary? This is why, in the latter part of my post above, I felt there was some inconsistency in that document as it's saying one thing and then another immediately following when both should be followed for that condition? If you're running php as cgi, then the script is running under your account and you should be able to restrict further?

JeremyT

Joined: 2010-10-25
Posts: 5

Posted: Mon, 2010-10-25 23:55

A follow-up, following the above advise, I'm back to a 403 Forbidden when trying to view anything in the gallery. This was when doing the following:
400 for config.php
600 for other files
700 for directories

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Tue, 2010-10-26 00:03

Quote:

Is this not a bit contrary?

No, your g2data directory should be in a completely separate location than your gallery2 directory.

They are separate directories for different purposes. gallery2 is where the code is, g2data is where a lot of the data is (the rest is in the database). Gallery needs to be able to write to g2data. For Gallery to function properly it only needs to read it's code. However, if you want to download plugins and themes from Site Admin > Plugins > Get More Plugins (tab) you'll need to set the modules and themes directories to 700 as well.

Setting everything to 700, 400, 600, 500, etc, will only work IF Apache is also ran as the same user who owns those files and directories. If it's run as a different user, then you need to set the permissions to 701 or 501 for directories and 604 or 404 for files. At which point really isn't any more secure than 711, 511, 644 or 444
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

JeremyT

Joined: 2010-10-25
Posts: 5

Posted: Tue, 2010-10-26 00:26

Sorry, there was a mix-up. I meant the documentation first states:
"Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...)."

Then, it later states:
"Read+Write for all files in g2data and the files in its subfolders" which does not include execute.

That was the inconsistency I was referring to. The first part says to set everything, files included, as 700 and then just a few lines later, the documentation states to set it to only "read+write".

nivekiam wrote:

Quote:

Is this not a bit contrary?

No, your g2data directory should be in a completely separate location than your gallery2 directory.

They are separate directories for different purposes. gallery2 is where the code is, g2data is where a lot of the data is (the rest is in the database). Gallery needs to be able to write to g2data. For Gallery to function properly it only needs to read it's code. However, if you want to download plugins and themes from Site Admin > Plugins > Get More Plugins (tab) you'll need to set the modules and themes directories to 700 as well.

Setting everything to 700, 400, 600, 500, etc, will only work IF Apache is also ran as the same user who owns those files and directories. If it's run as a different user, then you need to set the permissions to 701 or 501 for directories and 604 or 404 for files. At which point really isn't any more secure than 711, 511, 644 or 444
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Tue, 2010-10-26 00:37

Quote:

Sorry, there was a mix-up. I meant the documentation first states:
"Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...)."

Then, it later states:
"Read+Write for all files in g2data and the files in its subfolders" which does not include execute.

I read it as set 700 for g2data and all sub-directories, set 600 for all files in g2data and sub-files. But yeah, that could be made more clear.

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

JeremyT

Joined: 2010-10-25
Posts: 5

Posted: Tue, 2010-10-26 01:44

I appreciate your persistence in helping!

So, to get this straight. My server is dedicated, but hosting a few different sites. Therefore, I moved from mod_php to fast-cgi. PHP scripts show they're running under different accounts, one per website. This is what it should be, correct?

g2data folder is outside of root directory. g2data directory/sub-directories are set to 700 and all files in those directories are set 600.

Gallery directories/sub-directories are set to 701 and files in those directories are set to 604. It seems anything else, outside of more permissions, results in 403 errors. Since the webserver is running under apache, which is not the owner of said files, this would all be the best and correct permissions given the environment?

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Thu, 2010-10-28 18:29

Thought I posted a reply to this.

Yeah, that's similar to how I'm setup under my shared host.

See this:
http://gallery.menalto.com/node/82990

I actually don't run that locked down any more because it's a huge pain, but if you're paranoid about some script getting hacked and changing files that your account (or the account that PHP or Apache run as) then making sure those files are not editable is the way to go. Of course if what ever was vulnerable (Wordpress for example) was able to chmod files and since WordPress is PHP and PHP is running as you and those files are owned by you, then the exploit could simply change permissions and edit the files.

That's being pretty paranoid though and I decided to sacrifice some security for ease of use. I got really tired really fast of changing permissions to edit a file, then changing permissions back.

I just locked down a few key files, like config.php so you do have to jump through an extra hoop to change that file.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

JeremyT Joined: 2010-10-25 Posts: 5	Posted: Mon, 2010-10-25 23:23
	Following the Security Article as seen here: http://codex.gallery2.org/Gallery2:Security#How_to_Configure_a_Secure_Webserver I've got a dedicated server that's using Fast-CGI instead of mod_php. Scripts are run under specific accounts. I follow everything under "c) PHP as cgi and scripts run under your user" and have no issue. But when I continue on to the "Restricting the Rights of the Webserver User", everything breaks when I perform "Read+Execute for gallery2 folder and its subfolders" by chmod -R 500 (read+execute). At that point, I'm given a 403 Forbidden error when trying to access my gallery. I've made sure that the user running the scripts has file ownership (chown -R) for the directories. It only works if I chmod -R 555 the gallery directory. Second issue: According to the following article: http://codex.gallery2.org/Gallery2:Security#How_to_Configure_a_Secure_Webserver Under: Restricting Read & Write Access to Gallery 2 Files and Directories and c) PHP as cgi and scripts run under your user It states: "Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...). " This is inconsistent with a statement under Restricting the Rights of the Webserver User that states: "Read+Write for all files in g2data and the files in its subfolders" In the first statement, it clearly states "also for all subfolder, files,...) while the later goes on to re-do the permissions?
	XUser login Username: * Password: * Create new account Request new password
nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Mon, 2010-10-25 23:35
	If you're setting g2data to 500 yeah, that'll break everything. The webserver needs to write to that directory and all files and sub-directories. That should be 700. There is nothing in that doc that states setting anything to 500. 400 for config.php 600 for other files 700 for directories And still depending on how your server is configured, some files, like css, js, png, gif, jpg, etc may still need to be set to 644. For example on my shared host I have php running as a cgi and under my user via php-cgiwrap. However, that only works for php files All other files that are still served by Apache still need to be readable by the Apache user. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

JeremyT Joined: 2010-10-25 Posts: 5	Posted: Mon, 2010-10-25 23:51
	Hello, I'm still learning! But when it states the following under Restricting the Rights of the Webserver User "Read+Execute for gallery2 folder and its subfolders" - is that not chmod -R 500? 500 is read+execute? That's where I got the 500 from. Just above that under c) PHP as cgi and scripts run under your user it does state: "Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...). " Is this not a bit contrary? This is why, in the latter part of my post above, I felt there was some inconsistency in that document as it's saying one thing and then another immediately following when both should be followed for that condition? If you're running php as cgi, then the script is running under your account and you should be able to restrict further?

JeremyT Joined: 2010-10-25 Posts: 5	Posted: Mon, 2010-10-25 23:55
	A follow-up, following the above advise, I'm back to a 403 Forbidden when trying to view anything in the gallery. This was when doing the following: 400 for config.php 600 for other files 700 for directories

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Tue, 2010-10-26 00:03
	Quote: Is this not a bit contrary? No, your g2data directory should be in a completely separate location than your gallery2 directory. They are separate directories for different purposes. gallery2 is where the code is, g2data is where a lot of the data is (the rest is in the database). Gallery needs to be able to write to g2data. For Gallery to function properly it only needs to read it's code. However, if you want to download plugins and themes from Site Admin > Plugins > Get More Plugins (tab) you'll need to set the modules and themes directories to 700 as well. Setting everything to 700, 400, 600, 500, etc, will only work IF Apache is also ran as the same user who owns those files and directories. If it's run as a different user, then you need to set the permissions to 701 or 501 for directories and 604 or 404 for files. At which point really isn't any more secure than 711, 511, 644 or 444 ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

JeremyT Joined: 2010-10-25 Posts: 5	Posted: Tue, 2010-10-26 00:26
	Sorry, there was a mix-up. I meant the documentation first states: "Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...)." Then, it later states: "Read+Write for all files in g2data and the files in its subfolders" which does not include execute. That was the inconsistency I was referring to. The first part says to set everything, files included, as 700 and then just a few lines later, the documentation states to set it to only "read+write". nivekiam wrote: Quote: Is this not a bit contrary? No, your g2data directory should be in a completely separate location than your gallery2 directory. They are separate directories for different purposes. gallery2 is where the code is, g2data is where a lot of the data is (the rest is in the database). Gallery needs to be able to write to g2data. For Gallery to function properly it only needs to read it's code. However, if you want to download plugins and themes from Site Admin > Plugins > Get More Plugins (tab) you'll need to set the modules and themes directories to 700 as well. Setting everything to 700, 400, 600, 500, etc, will only work IF Apache is also ran as the same user who owns those files and directories. If it's run as a different user, then you need to set the permissions to 701 or 501 for directories and 604 or 404 for files. At which point really isn't any more secure than 711, 511, 644 or 444 ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Tue, 2010-10-26 00:37
	Quote: Sorry, there was a mix-up. I meant the documentation first states: "Set the permissions of g2data to 700 (read+write+execute permissions for owner/you, no permissions for anyone else). Apply the permissions recursively (also for all subfolder, files, ...)." Then, it later states: "Read+Write for all files in g2data and the files in its subfolders" which does not include execute. I read it as set 700 for g2data and all sub-directories, set 600 for all files in g2data and sub-files. But yeah, that could be made more clear. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

JeremyT Joined: 2010-10-25 Posts: 5	Posted: Tue, 2010-10-26 01:44
	I appreciate your persistence in helping! So, to get this straight. My server is dedicated, but hosting a few different sites. Therefore, I moved from mod_php to fast-cgi. PHP scripts show they're running under different accounts, one per website. This is what it should be, correct? g2data folder is outside of root directory. g2data directory/sub-directories are set to 700 and all files in those directories are set 600. Gallery directories/sub-directories are set to 701 and files in those directories are set to 604. It seems anything else, outside of more permissions, results in 403 errors. Since the webserver is running under apache, which is not the owner of said files, this would all be the best and correct permissions given the environment?

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Thu, 2010-10-28 18:29
	Thought I posted a reply to this. Yeah, that's similar to how I'm setup under my shared host. See this: http://gallery.menalto.com/node/82990 I actually don't run that locked down any more because it's a huge pain, but if you're paranoid about some script getting hacked and changing files that your account (or the account that PHP or Apache run as) then making sure those files are not editable is the way to go. Of course if what ever was vulnerable (Wordpress for example) was able to chmod files and since WordPress is PHP and PHP is running as you and those files are owned by you, then the exploit could simply change permissions and edit the files. That's being pretty paranoid though and I decided to sacrifice some security for ease of use. I got really tired really fast of changing permissions to edit a file, then changing permissions back. I just locked down a few key files, like config.php so you do have to jump through an extra hoop to change that file. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

File Permission Issues

XUser login