You are not logged in.
setting folder permissions correctly
when using things like the imagemanager and file manager, what do I set permissions on the server so that the imagemanager and file manager can write/rewrite/delete files and folders in that directory, but still have proper security from hackers detecting the directory and writing malicious files to it?
I recently had a hacker upload phishing files and it's a pain. How do I stop this from happening again without cutting the functionality of the xinha editor with the image manager?
site [url]www.paradigmprint.com[/url]
Offline
Depends on your server environment. How did the "hacker" upload the phising files, through one of the Xinha plugins? Are you allowing uploading of files (through Xinha) to any old joe bloggs off the street?
In general, the PHP process needs to have write access to where it will write the files, some servers run PHP as mod_php which means it will run as the webserver's account ("nobody" or "www-data" usually), and so your directories probably need to be world writable. Some servers will run PHP code as your own user account, so your directories only need to be user-writable.
James Sleeman
Offline
If your evironment is setup to use mod_php (in other words - PHP runs as the web server user and not your user account) than your upload files/directories must be world-writable as gogo suggested, OR they might be chowned by web server user (although it's usually harder to manage, as you could not e.g. delete these files via FTP).
You could write the PHP script to change file permissions and ownership - the simplest way is to create the upload directories by PHP script without specifing permisions (mkdir() function) - this way all the directories will be automatically chowned by web server user.
Offline
Only admins have access to the Xinha editor. I've got the directories CHMOD to 777 which is the only way image uploads work through the imagemanager. I've tried other permissions and they don't work so the server must run php as itself and not as the account owner/user.
Isn't having a directory "world" writable a dangerous loop hole for hackers? How do you protect the directory from someone randomly putting files on there, not through Xinha, but directly into the directory.
site [url]www.paradigmprint.com[/url]
Offline
Isn't having a directory "world" writable a dangerous loop hole for hackers? How do you protect the directory from someone randomly putting files on there, not through Xinha, but directly into the directory.
Yes, it is a potential security hole, although usually that's the way all PHP applications are set up because of the way mod_php Apache module is written (or, rather - the way Apache runs its modules). On a shared hosting this means that any other server user might write to your directory, and, as such - e.g. any PHP script that was uploaded via different security hole on a different account.
Unfortunately, on a shared hosting you can do nothing - PHP must be able to access the upload directory, and - as such - every user on this server might create a PHP file which would be able to acceess it. Some hosting servers use phpsuexec so that PHP runs with user account credentials. Also probably running PHP as CGI/FastCGI could help (although i don't know). Also there is something like open_basedir restriction (look at Google). Basically - there's nothing you can do by yourself if you don't administer your server.
If you're worried about 777 permissions, you could, like I said, chown the directory and files by PHP/Apache user account - but still, any other PHP file on the server would be able to write to it.
This IS a security hole as you stated - but basically every PHP application installed on shared hosting that requires having write access has the same problem.
Cheers,
Krzysztof Kotowicz
Offline