We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

777 folder file permition-security | Forum

Topic location: Forum home » Support » General Questions
Martin Baso
Martin Baso Apr 27 '16
dear Oxwall team.

you recomend to set up the folder and file permitions to 777 to the following folders and files inside:

ow_pluginfiles
ow_userfiles,
ow_static,


777 full permitions are not recomended in general. Is there any exception why this should not be a potential security issue for oxwall?  Can we set up lower permitions like 755 or similar just to improve the security?

Looking forward to your feedback.

Martin
ow_smarty/template_c
dave Leader
dave Apr 27 '16
Hi Martin, 


Please wait for an official answer from the team on this one before changing anything. 


But i did test by making a copy of the ow_pluginfiles folder and placing it above the public_html and then defining the folder location inside of the config file. 


for example:  define('OW_DIR_PLUGINFILES', '/home/username/ow_pluginfiles/');


and it did seem to work.  However i have not tested the other folders and this is NOT an official Oxwall remedy so please wait for their reply.  I just wanted to share what i tested with you so maybe this might work but ask them first, they are the experts. 


Thanks dave 


Martin Baso
Martin Baso Apr 27 '16
Thanks for your feedback. I will stay tuned for next feedbacks.  I can imagine that this moving can improve the security but on the other side probably any site or plugin update could be hammered.

What about to keep folders where they are and just to restrict the permitions? Would it work?

thanks

Martin
Martin Baso
Martin Baso Apr 28 '16
I am not an expert in IT security but what I read and learnt about 777 is that this can leave the site potenitialy volnurable. A malicious user can upload php, javascript, embeed malicious codes and not sure what else. Therefore I would like see some arguments why 777 does not posses any security risk. Especialyl on shared hosting having 777 is not also a good idea...Please coudl somebody clarify?
dave Leader
dave Apr 28 '16
Martin, 


I am not aware of any way to upload anything to a site directory unless you have one of three things:


1. ftp access

2. cpanel access (if using cpanel) or some other panel access. 

3. An existing script on the server which allows uploads, such as a image uploader. 


Other than that unless they hack your account i am not aware of anyway that anyone can upload anything. 


The 777 simply gives the server full access to read, write, and execute, what is already there in those folders.  


That is my understanding.  


Dave 

:)

The Forum post is edited by dave Apr 28 '16
ross Team
ross Apr 28 '16
First of all we got rid of all known and potential security holes, but even if a "hacker" uploads something to the server, he won't be able to run the script due to the .htaccess condition,  other folders are not accessible via browser. 
ross Team
ross Apr 28 '16
Martin Baso
Martin Baso Apr 28 '16

Guys thanks for the clarification, so .htaccess stops to run php srips in the ow_userfiles, it is fine.  But what if somebody embeds or uploads javasript. javascript runs lokally on a clients PC so htacces cannot block it.


Also another question in terms of security, I hope there is a protection that users cannot publish iframes or to emebed them ( except od youtube a similar trusted sources for video


Can restrict the access right for anybody can ride and wirte but not to execute? Would it work ?

ross Team
ross Apr 28 '16
Martin, even if you upload some javascript file to ow_userfiles how you run it?

As to the iframes you can either restrict using html on users part and you can declare which iframes of which video resources to use. As far as I know all forms on Oxwall will reject input if you use  javascript or iframes

ross Team
ross Apr 28 '16
Permissions should be set to 777 that is our requirement for the software to work properly. 
dave Leader
dave Apr 28 '16
If you are referring to someone pasting JS into a form input field then not to worry, there are standard filters used and security methods used to clean that out during the form submit process. It is standard procedure now days. 


I only know of one place right now regarding a form where this is possible and i dont believe it causes any security risk. 

The Forum post is edited by dave Apr 28 '16
Martin Baso
Martin Baso Apr 28 '16
Thanks for your feedbacks. Ok then all is fine.
Martin Baso
Martin Baso Apr 29 '16
Just one comment. I phoned to my webhosting company. They said that I can set up the permitions to 777 ( folders and files ) and their apache is configured to max 755 even if users set up 777.   Also they said that the 777 set up folders/files behave like 777, even if the apache is configured generally as 755 inl due to a security.   

So oxwall should work fine but I am confused how apache can be configured as 755 in general  and keep 777 functionality a a case if any users sets it up in his public_htmol folder.
ali
ali Apr 11 '23
В Арт Академи в София, децата могат да се научат на различни техники за рисуване, керамика, крафт с полимерна глина и много други изкуствени дейности. През последните години, училището се е утвърдило като един от най-добрите центрове за изкуство за деца в София. Една от големите предимства на Арт Академи е, че децата не само могат да се забавляват, но и да учат много полезни умения като търпение, точност и творческо мислене. Децата могат да се развиват в своите умения и да изразят своята индивидуалност. В Арт Академи има и опитни учители, които ще насочат децата и ще им помогнат да развият своя талант. Всички материали и оборудване, необходими за изкуството, са на разположение в училището. Арт Академи