[TYPO3] hacking / file permissions

Ries van Twisk typo3 at rvt.dds.nl
Wed Jun 6 04:07:24 CEST 2007


On Jun 5, 2007, at 8:59 PM, Tracey Hummel wrote:

>
> How does the upload of files from the fileadmin work without
> world-writable subdirectories?
>
> Fantastico installs of typo3 appear to leave everything wide open.

Apparently fantastico is not fantastico...

You need to make sure that you have enough right to write,
which basically means you run the apache server as the correct user,
or you are part of the apache group. (first one is more usual).

If you get this from your hoster, then you should seriously complain  
to them.

PS: Using the install tool you can setup user/group permissions to let
typo3 write as the correct user including permissions.

Ries

>
> Thank you,
> Tracey
>
>
>
>
> On Tue, 5 Jun 2007, Ries van Twisk wrote:
>
>> hey Tracey,
>>
>> you need to check how and what happens really closly.
>> Then you can possibly track back how you are getting hacked.
>>
>> In any case, one advice is to NEVER set a file
>> to world writable. Ask your webhoster what the proper
>> permissions are for your user and group that runs
>> your server under. He should know, if he doesn't know
>> then find a a hoster that does know. But never make a
>> directory or file world writable.
>>
>> Ries
>>
>>
>> On Jun 5, 2007, at 7:18 PM, Tracey Hummel wrote:
>>
>>>
>>> I have a couple of typo3 sites on hostrockets.com that get hacked
>>> almost
>>> weekly.  I've implemented as many of the security suggestions as
>>> possible
>>> in Security Cookbook at: http://typo3.org/teams/security/
>>>
>>> I tried setting all subdirectories to non-world writable even
>>> though this
>>> disables image and file uploads.
>>>
>>> Is there a list somewhere showing the necessary permissions for each
>>> subdirectory and that shows which files need to be world writable?
>>>
>>> Thank you,
>>> Tracey
>>>
>>>
>>> _______________________________________________
>>> TYPO3-english mailing list
>>> TYPO3-english at lists.netfielders.de
>>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>>
>> -- 
>> Ries van Twisk
>> Freelance Typo3 Developer
>> email: ries at vantwisk.nl
>> web:   http://www.rvantwisk.nl/
>> skype: callto://r.vantwisk
>>
>>
>>
>>
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english

-- 
Ries van Twisk
Freelance Typo3 Developer
email: ries at vantwisk.nl
web:   http://www.rvantwisk.nl/
skype: callto://r.vantwisk






More information about the TYPO3-english mailing list