g2data chmod 777?

seg

Joined: 2005-09-13
Posts: 4

Posted: Mon, 2006-02-13 07:02

Not sure if this is the correct place to post this. I tried to find where I could report a patch request, but I am still getting used to the Gallery site.

I recently installed G2. I was just speaking with my host's tech support. My Gallery was throwing errors and they ran the command chmod -R 777 on the g2data directory to fix the problem. They weren't too happy that this directory requires chmod 777 since this can leave the gallery open to attacks by hackers. They noted that 766 would be much better. Unfortunately g2data doesn't like 766.

My questions is - if chmod 777 is unsafe, why is it required? Is it possible to get a patch for this?

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Mon, 2006-02-13 07:21

please read up on security on:
http://codex.gallery2.org/index.php/Gallery2:Security

if your host offered php-(fast)cgi / suexec, it would be safer for everyone.

seg

Joined: 2005-09-13
Posts: 4

Posted: Mon, 2006-02-13 17:55

Thank you for the link. I went through and secured my Gallery as much as possible. I understood from the beginning that a shared host is not the most secure environment and a host with php-cgi or php-fastcgi is not as common as a host with Server API is Apache or IIS or Module/mod_php.

I am not an expert with server configurations, but I do understand the chmod 777 leaves directory and files vulnarble. There are many shared hosts who do not meet this security documents specifications. Since so many people are being forced to run vulnerable Galleries while using such hosts, it might be a good idea to figure out a patch of some sort. Just a suggestion.

I have sent the security document on to my host to see what can be done on their end.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Mon, 2006-02-13 18:52

777 means same permissions for everyone, 7 for the owner, 7 for the group the owner is in, 7 for everyone else.
7 means, read + write + execute permissions.

that means that everyone that has an account on the server can write to your files, delete them, add new files.
users without an account on your system can't do anything, but read the files via the webbrowser.

but even 755 (7 for the owner, 5 for the group, everyone else) is as insecure as 777 on shared webhosting, if the file is owned by the webserver, since all accounts on the webhost can do things via the webserver user.
and g2 requires the webserver to have write permissions on the files. so 777 or 755 doesn't really matter in such an environment.

seg Joined: 2005-09-13 Posts: 4	Posted: Mon, 2006-02-13 07:02
	Not sure if this is the correct place to post this. I tried to find where I could report a patch request, but I am still getting used to the Gallery site. I recently installed G2. I was just speaking with my host's tech support. My Gallery was throwing errors and they ran the command chmod -R 777 on the g2data directory to fix the problem. They weren't too happy that this directory requires chmod 777 since this can leave the gallery open to attacks by hackers. They noted that 766 would be much better. Unfortunately g2data doesn't like 766. My questions is - if chmod 777 is unsafe, why is it required? Is it possible to get a patch for this?
	XUser login Username: * Password: * Create new account Request new password
valiant Joined: 2003-01-04 Posts: 32509	Posted: Mon, 2006-02-13 07:21
	please read up on security on: http://codex.gallery2.org/index.php/Gallery2:Security if your host offered php-(fast)cgi / suexec, it would be safer for everyone.

seg Joined: 2005-09-13 Posts: 4	Posted: Mon, 2006-02-13 17:55
	Thank you for the link. I went through and secured my Gallery as much as possible. I understood from the beginning that a shared host is not the most secure environment and a host with php-cgi or php-fastcgi is not as common as a host with Server API is Apache or IIS or Module/mod_php. I am not an expert with server configurations, but I do understand the chmod 777 leaves directory and files vulnarble. There are many shared hosts who do not meet this security documents specifications. Since so many people are being forced to run vulnerable Galleries while using such hosts, it might be a good idea to figure out a patch of some sort. Just a suggestion. I have sent the security document on to my host to see what can be done on their end.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Mon, 2006-02-13 18:52
	777 means same permissions for everyone, 7 for the owner, 7 for the group the owner is in, 7 for everyone else. 7 means, read + write + execute permissions. that means that everyone that has an account on the server can write to your files, delete them, add new files. users without an account on your system can't do anything, but read the files via the webbrowser. but even 755 (7 for the owner, 5 for the group, everyone else) is as insecure as 777 on shared webhosting, if the file is owned by the webserver, since all accounts on the webhost can do things via the webserver user. and g2 requires the webserver to have write permissions on the files. so 777 or 755 doesn't really matter in such an environment.

g2data chmod 777?

XUser login