Sorry but I have to ask for advice from someone with more understanding of security issues. I have tried to read about it here but I´m still a bit confused. And in this case I´m rather sorry than unsafe. I had a Joomla site hacked some months ago and I´m trying to learn from my mistakes...
Are 777 permissions necessary for the "files" folder? For what? The site runs OK at the moment with 755, but I haven´t activated image uploading or any kind of downloading of materials and I suspect things like that might become a problem. And I have to temporarily change permissions when I want to change "settings" in the administration. I can live with that although the site always complains (in red) that "files" is unwriteable.
I have this .htaccess file in the files folder:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
Is that protection enough for a 777 files folder? And what about sub-folders? Are they also protected or do they need a separate .htaccess file?
I´d appreciate any help!
Ulf
Comments
My first thoughts on this
My first thoughts on this are that the "worst case" settings for the directory permissions should be 775 where the files/ directory is put into the same group as the httpd server is running as (better still is 770, why let anyone other than yourself and the those in the webserver group see the files?).
You only need to do this if you are allowing uploads by anyone however. If you're security aware (or just paranoid ;) 750 would be fine and swap to 770 or 777 just when you are uploading, then set it bacak again.
777 combined with "Options +FollowSymLinks" isn't so smart a move. If you are running files/ with 777 permissions then I would have "Options -FollowSymLinks" (or just delete it as you have an explict "Options None" there anyway).
Test results
Thanks for the advice and the word "security aware". I used to call my paranoia "Post Hacked Stress Syndrome" [the world is dominated by invisible evil hackers] but now I realize it is really a case of "heightened security awareness ;)
Anyway CHMOD 750 proved to be a total cure for it. The site works with that too.
And the 770 gets rid of the error messages which is kind of comforting. Should the +FollowSymLinks be removed also with that or the 775 option?
re Followsymlinks, it was
re Followsymlinks, it was added because otherwise people couldn't preview their uploaded pictures after editing a node. If you don't care, delete it.
re your question about the subdirectories of 'files', .htaccess directives cascade down to all subdirectories.
re 770 and 775, I haven't found any host so far who would allow me to put apache in my group.
So, it is very simple for me:
- 770 = no Drupal uploads and downloads.
- 775 = no Drupal uploads
- 777 if I want uploads and downloads
Of course if you control your server things are different.
Another way is to use 755 directories owned by apache. But this is not much safer. If someone gets into the server and can mess with your 777 files, then s/he can probably also run a script, just like Drupal, to mess with 755 directories owned by apache.
Security is one things. Whether you can do any useful work is another. How much you will lose if things go wrong is another.
---------
Edited to add: Now that I think of it, making someone as popular and accessible to scripts as apache a member of your group does not seem to add much to security on a shared host.
This is an amazing forum!
Thank you AjK and CogRusty for your fast and helpful answers. Thís really makes my options very clear. It would have taken me months to figure these things out by myself!
Ulf
I just found that there is a
I just found that there is a whole very well-written section in the Handbook which explains everything in simple language:
Webhosting issues for new Drupal users
Under that, there are several more specific topics:
Very valuable resource
Thanks, it´s a very valuable resource. Will probably help me through the installation problems I expect on my second install of Drupal on another (cheaper) webhost. The Troubleshooting FAQ is really very educating.
And I´m so happy I finally dared to leave Joomla, there is nothing I miss and so much I can do with Drupal! The live site is now doing exactly what it needs to do (I´m creating a community for scandinavian educators using storytelling methods). But I will play around with a test site with 5.0 and see what I can learn about the more advanced possibilities.