From: Damian P. <da...@da...> - 2006-03-03 18:57:47
|
On Fri, Mar 03, 2006 at 07:09:20PM +0100, kan...@gm... wrote: > Hi people, > > imho it's not very good that setup.sh gives apache chmod +w on the > template directory. > it's not very secure for shared hostings and I also think, that the > novice user does not know about the risks of such permissions. > I propose that setup.sh should not give apache write permissions on > default. It should be an optional behavior, because I think very few > people would use the "edit templates" feature of TW. As Ive said many times before db/ dump/ styles/ templates/ backups/ and the whole array of others have no meaning to be apache writable after you have your site configured and setup. Last time I got ploped on, so maybe now that others are having the same ideas something will get done. > I talked about this today on IRC with sylvieg, and she told me that > there is an article on "how to secure tw" already on tw.o. > That's good of course, but I think a novice/average user expects a > software to set permissions as secure as possible by default. Very few > of them would read the article, I think they even don't know about that > article. > > Howevery, I think setup.sh shouldn't give apache write permissions by > default. That is why in MeteorCMS I only have one apache writable directory required by the initial site setup. You are certainly not alone in this thinking. -- Damian Parker http://www.damosoft.co.uk |