[TYPO3] hacking / file permissions

Andreas Becker ab.becker at web.de
Wed Jun 6 04:26:50 CEST 2007


Hi Tracey

The Installation thru fantastico isn't the best. We had similar problems and
since we started using the TYPO3-Instalation from webempoweredchurch the
hacking was gone. They provide also a good tutorial how to secure your
installation as there package is based on the TYPO3.org download it is
"closed" WEC is providing a script to only set readable to those folders
which are really needed by TYPO3.

have a look here and check it out www.webempowerdchurch.org    .com = forum

Nevertheless it is still 777 then those open folders

To secure your TYPO you have to do exactly what the installtool is telling
you.

Go inside the install tool
All Configuration

*[fileCreateMask]* File mode mask for Unix file systems (when files are
uploaded/created).

*[BE][fileCreateMask] = 0660

**[folderCreateMask]* As above, but for folders.

*[BE][folderCreateMask] = 0770

**[createGroup]* Group for newly created files and folders (Unix only).
Group ownership can be changed on Unix file systems (see above). Set this if
you want to change the group ownership of created files/folders to a
specific group. This makes sense in all cases where the webserver is running
with a different user/group as you do. Create a new group on your system and
add you and the webserver user to the group. Now you can safely set the last
bit in fileCreateMask/folderCreateMask to 0 (e.g. 770). Important: The user
who is running your webserver needs to be a member of the group you specify
here! Otherwise you might get some error messages.

*[BE][createGroup] = nobody


-----------------
***

find these entries and change them to the settings shown here. I guess that
you are on a shared hoster?
Before you do it you should check if you have

ssh access .

AND
if your hoster is willing to change your folders/files always back to
user:nobody

You will need your hoster to change the group settings of your files as you
won't have the rights to do this.
Your files created by TYPO3 will have nobody:nobody settings and won't be
readable by your cpanel or ftp - but you can use quixplorer from inside
typo3!
Files and folders created by cpanel and ftp will be are user:user and with
settings 770 660 TYPO3 will have problems to read them too. So the only
solution will be to mix both settings like it is described in the install
tool.

--------
Hi community
If someone gets a better solution we also would prefer to hear about it.
What exactly should be the securest settings on a shared hoster? so that on
the one side you will have a safe surrounding and on the other side still be
able to access your files WITHOUT always contacting your Hoster.

Imhosted Support - which is great - one of our sharedhosters is meanwhile
belonging more or less to our company ;-) because of all this but it is
sometimes boring to wait - even they have 24h support - until you will be
able to access your files and folders again.

We have chosen this way with the Hoster as we haven't found another way to
do it. BESIDE getting a vhost or an own dedicated server where you have
admin rights (but probably also all the problems to secure your server for
all the rest which could occure to get hacked.

Andi

**

2007/6/6, Tracey Hummel <tracey at uainfo.arizona.edu>:
>
>
> How does the upload of files from the fileadmin work without
> world-writable subdirectories?
>
> Fantastico installs of typo3 appear to leave everything wide open.
>
> Thank you,
> Tracey
>
>
>
>
> On Tue, 5 Jun 2007, Ries van Twisk wrote:
>
> > hey Tracey,
> >
> > you need to check how and what happens really closly.
> > Then you can possibly track back how you are getting hacked.
> >
> > In any case, one advice is to NEVER set a file
> > to world writable. Ask your webhoster what the proper
> > permissions are for your user and group that runs
> > your server under. He should know, if he doesn't know
> > then find a a hoster that does know. But never make a
> > directory or file world writable.
> >
> > Ries
> >
> >
> > On Jun 5, 2007, at 7:18 PM, Tracey Hummel wrote:
> >
> >>
> >> I have a couple of typo3 sites on hostrockets.com that get hacked
> >> almost
> >> weekly.  I've implemented as many of the security suggestions as
> >> possible
> >> in Security Cookbook at: http://typo3.org/teams/security/
> >>
> >> I tried setting all subdirectories to non-world writable even
> >> though this
> >> disables image and file uploads.
> >>
> >> Is there a list somewhere showing the necessary permissions for each
> >> subdirectory and that shows which files need to be world writable?
> >>
> >> Thank you,
> >> Tracey
> >>
> >>
> >> _______________________________________________
> >> TYPO3-english mailing list
> >> TYPO3-english at lists.netfielders.de
> >> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >
> > --
> > Ries van Twisk
> > Freelance Typo3 Developer
> > email: ries at vantwisk.nl
> > web:   http://www.rvantwisk.nl/
> > skype: callto://r.vantwisk
> >
> >
> >
> >
> > _______________________________________________
> > TYPO3-english mailing list
> > TYPO3-english at lists.netfielders.de
> > http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>


More information about the TYPO3-english mailing list