[TYPO3] hacking / file permissions

Ries van Twisk typo3 at rvt.dds.nl
Wed Jun 6 14:44:22 CEST 2007 

Hey Georg,

unfortunately there are several methods
to run your website, even if you just run apache.
So there is not a single configuration that is good
and the correct configuration depends on how the
webserver is configurated.

However it's is usually bad to set directories/files world
writable, no matter if you are alone of the server or shared hosted
(with or without a chroot environment).

One of the problems is this:
Aa lot of hosters, allow you to FTP your files into your directory,
and then you unpack them. For example you are the user XXX
in group WEBUSERS.

However apache (for example) runs under the user apache and group  
apache.

If you create files with this permissions 0664 and directories with  
this permission
0775.

Then if apache tries to write files, then he canned do that because  
the directories
where in the wrong user/group and the world permission setting is for  
read only.

So what people often advice is to set a directory to 0777 (world  
writable) but
that means that EVERYBODY can write/delete and insert content to that  
directory,
which is bad,

Usually typo3 is fairly secure,
and if you get hacked 'once a week' then something is really wrong,
However on this guy I didn't really read yet what was hacked (if  
hacked at all).

Ries


> Dear Ries,
>
> Ries van Twisk wrote:
>
>> You need to make sure that you have enough right to write,
>> which basically means you run the apache server as the correct user,
>> or you are part of the apache group. (first one is more usual).
>>
>> ...
>>
>> PS: Using the install tool you can setup user/group permissions to  
>> let
>> typo3 write as the correct user including permissions.
>
> As this issue
>
> - is _so_ important to _every_ TYPO3 driven web site,
>
> - and the typical TYPO3 download has nothing, to ensure the right
>    permissions (IMHO, unless I have not seen some essentials, again)
>
> - and really _many_ hosters ain't be able to do it right
>
> would you mind, to share your knowledge with us?
> As verbose as possible (including *nix user/group setup, the Apache
> user/goup setup etc). Adressed at me/us/stupid hosters/the world.
>
> 1. If you wanna be payed for that, just tell me the price by private
>     email.
>
> 2. If that info would reveal too much info to potential attackers,
>     again, please write a private email to me.
>
> If none of 1/2 applies, your knowledge should be (at least) documented
> in the TYPO3 documentation, but better be incorporated into _every_
> TYPO3 install (say, as a shell script, driven by some user/group IDs
> from the install tool).
>
> Best regards
> -- 
>    ___   ___
>   | + | |__    Georg Rehfeld      Woltmanstr. 12     20097 Hamburg
>   |_|_\ |___   georg.rehfeld.nospam at gmx.de    +49 (40) 23 53 27 10
>
>                (Delete .nospam from mail address)
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english

-- 
Ries van Twisk
Freelance Typo3 Developer
email: ries at vantwisk.nl
web:   http://www.rvantwisk.nl/
skype: callto://r.vantwisk

More information about the TYPO3-english mailing list