Menu
▾
▴
phpwebsite-developers
|
From: Geoff S. <ge...@ho...> - 2003-02-16 22:08:35
|
Mike: There are two scripts. But, they both require shell access which many people = don't have. Yes, I did look at security.txt. Here's the relevant portion (which I quoted in = my post): DO IT YOURSELF: Use this only if you know that your are doing!!! for setup /conf needs write access for run you need these writeable /mod/*/docs /mod/*/templates /docs /images /.htaccess As I mentioned, there is user, owner, and group read, write, and execute. I = looked at the shell script and it appears that these items should be set to 777 = (read, write, execute access for everyone). But, even though that's what the = shell script says, that doesn't seem right to me. Geoff >> On Sun, 2003-02-16 at 12:11, Geoff Staples wrote: >> > I'm concerned about the security setup and also rather frustrated. >> >=20 >> > Anyone want to relieve my anxiety or have an idea about how to handle >> > this? >> >=20 >> > The statement in the security documentation that some files need to be >> > "writable" is not very helpful. I looked at the shell script and it >> > appears that what this means is 777 (read, write, and execute for >> > users, owner, and groups).=20 >> Geoff, >> There are two scrips for RC4. One is for people with root access, and >> the other is for people without root access. If you can't use the root >> version, make sure to keep local backups of your phpWS install. This is >> a good idea anyway. >> secure_phpws.sh >> NONROOT_secure_phpws.sh >> http://res1.stddev.appstate.edu/horde/chora/cvs.php/phpwebsite/setup >> > I seem to have a number of things that aren't working on my test >> > installation that I'm guessing are file permission related. >> >=20 >> > But, without any confidence that the security is setup properly or that >> > I even know how permissions should be setup is quite frustrating. The >> > manual instructions state that you shouldn't do a manual security setup >> > unless you know what you are doing. Well. OK. But, what are the >> > settings actually supposed to be? I set the my test installation using >> > the guidelines. (Don't know if it is correct because I had to guess at >> > what the instructions actually meant.) >> Did you look in this doc? >> SECURE.txt >> http://res1.stddev.appstate.edu/horde/chora/co.php/phpwebsite/docs >> --=20 >> Mike Noyes <mhnoyes @ users.sourceforge.net> >> http://sourceforge.net/users/mhnoyes/ >> http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ >> ------------------------------------------------------- >> This sf.net email is sponsored by:ThinkGeek >> Welcome to geek heaven. >> http://thinkgeek.com/sf >> _______________________________________________ >> Phpwebsite-developers mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers Geoff Staples Hostricity Web Hosting www.Hostricity.com 214.599.0260 ge...@ho... 3883 Turtle Creek Blvd., Suite 1812 Dallas, Texas 75219 |
|
From: Geoff S. <ge...@ho...> - 2003-02-18 02:53:16
|
Mike: I've never needed shell access to install phpWebSite, or for that matter any of = the Open Source software we use. The 50 or 60 phpWebSite sites we host were not = installed with shell access. If the new standard for phpWebSite is that it will be built so that it is = convenient for those with shell access to install and living hell for those who = don't, please say so now. I've asked this question previously and been told = repeatedly that shell access is not required. Again, if the plan is for shell access to be a requirement, I need to know it = now before I spend my money developing modules for phpWebSite. I'll be disappointed. But, I'll find another CMS I can live with. Geoff=20 >> On Sun, 2003-02-16 at 14:08, Geoff Staples wrote: >> > There are two scripts. But, they both require shell access which many >> > people don't have. >> Geoff, >> PhpWebSite has always required shell access to install. I think this is >> a fairly standard requirement for installing a CMS. >> c m s I n f o . o r g >> http://www.cmsinfo.org/ >> > Yes, I did look at security.txt. Here's the relevant portion (which I >> > quoted in my post): >> <snip> >> > As I mentioned, there is user, owner, and group read, write, and >> > execute. I looked at the shell script and it appears that these items >> > should be set to 777 (read, write, execute access for everyone). But, >> > even though that's what the shell script says, that doesn't seem right >> > to me. >> It is if you don't have root access, or know someone (hosting admin) >> that does. >> Note: only a few directories and on file are given world writable >> settings using the NONROOT_secure_phpws.sh. >> =20 >> chmod 777 ../.htaccess >> chmod -R 777 ../images/ >> chmod 777 ../conf/branch/ >> --=20 >> Mike Noyes <mhnoyes @ users.sourceforge.net> >> http://sourceforge.net/users/mhnoyes/ >> http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ >> ------------------------------------------------------- >> This sf.net email is sponsored by:ThinkGeek >> Welcome to geek heaven. >> http://thinkgeek.com/sf >> _______________________________________________ >> Phpwebsite-developers mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers Geoff Staples Hostricity Web Hosting www.Hostricity.com 214.599.0260 ge...@ho... 3883 Turtle Creek Blvd., Suite 1812 Dallas, Texas 75219 |
|
From: Mike N. <mh...@us...> - 2003-02-18 04:09:10
|
On Mon, 2003-02-17 at 18:53, Geoff Staples wrote: > I've never needed shell access to install phpWebSite, or for that > matter any of the Open Source software we use. The 50 or 60 phpWebSite > sites we host were not installed with shell access. Geoff, Then obviously I'm incorrect. However, every install I've done required shell access to set file/directory permissions, modify config.php, etc. My install experience differs considerably from yours, and it may have to do with the hosting providers we use. ref. phpWS 0.9x install HOWTO for SF (final draft) https://sourceforge.net/mailarchive/message.php?msg_id=2145771 > If the new standard for phpWebSite is that it will be built so that it > is convenient for those with shell access to install and living hell > for those who don't, please say so now. I've asked this question > previously and been told repeatedly that shell access is not required. > > Again, if the plan is for shell access to be a requirement, I need to > know it now before I spend my money developing modules for phpWebSite. > > I'll be disappointed. But, I'll find another CMS I can live with. I'm not a phpWebSite project member. Nor am I affiliated with Appalachian State University. I'm just an involved user. Matthew McNaney and Brian W. Brown are in charge of the phpWebSite project. What they say goes. phpWebSite project members https://sourceforge.net/project/memberlist.php?group_id=15539 -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ |
|
From: Eloi G. <el...@re...> - 2003-02-18 14:54:35
|
> I've never needed shell access to install phpWebSite, or for that > matter any of the Open Source software we use. The 50 or 60 phpWebSite > sites we host were not installed with shell access. You don't need shell access. I don't have it & I've installed all rc's in no time flat. All you need to do is unzip the files on your own system, FTP them up to your host and change a few file permissions. My installations take about 20 minutes, and most of that is taken up playing Solitaire while waiting for the FTP to finish. <groan> It's my understanding that the script was developed to make it easier for those lucky people who have shell access. If you put out the cash for your own server or talk your host into trusting you then you too can use the scripts. Personally, I think that it'd be a waste of time even worrying about it. BTW, ignore the HOWTO for SF. It's not written for us -- just people that are hosting on SourceForge. My life became a lot easier once I realized that. > I'll be disappointed. But, I'll find another CMS I can live with. The installation requirements appear to be the same for every other CMS I've looked at. -Eloi George- |
|
From: Matthew M. <ma...@tu...> - 2003-02-18 13:13:50
|
> Again, if the plan is for shell access to be a requirement, I need to > know it now before I spend my money developing modules for phpWebSite. > > I'll be disappointed. But, I'll find another CMS I can live with. Geoff, Don't go :) Let's try to settle this. I am not the Unix guru on the team (Jeremy is) but I hope this should answer your questions. The shell script (written by Jeremy BTW) was meant to make life easier. Instead of telling people to make certain directories writable, we thought it would be easier to just include a script to assist them. You don't HAVE to use either script. If you want set_config.php to create your config.php file for you, your conf/ directory must be writable. If it is not, there is an option to save the file and then you can upload it yourself. In any case, once you save your config.php file, you can make the directory root writable only. The other directory you can make writable is images. If you do not, the modules will not be able to make their image directories during installation. Again, this is not a big problem as you can just create them yourself afterwards. The module image directories do need to be writable to save images however. Finally, if you want to use textpad to alter docs, you would need to make the docs/ directory writable as well. 0.8.3 had the config file already supplied. Therefore you didn't need to touch the permissions of the directory was in. However, 0.8.3 did have an image directory and it had to be writable. So I guess shell access would make your life easier. However, if you did not have shell access, you would need to specify what directories you need to be writable to your sysadmin. Let me know if that helps. Best Regards, Matthew McNaney Internet Systems Architect Electronic Student Services Appalachian State University Phone: 828-262-6493 phpwebsite.appstate.edu ess.appstate.edu |
|
From: Brian W. B. <br...@tu...> - 2003-02-18 15:23:57
|
A bit of clarification on all of this... Having shell access makes life easier, and the working assumption has always been that you own your web server and have root access to the system. Security is *always* a relative proposition and we have done everything we can in order to keep phpWebSite as locked down as possible. Developing from this frame of reference allows us to develop the most secure software we can. Does this mean that you can't run phpWebSite in a hosted environment or that doing so is a 'living hell'? No. Hopefully the following should help those in a hosted environment sort this out. Anytime phpWebSite writes a file (i.e. the initial creation of the config file) the web server has to have permission to write to the file system. Note that the web server runs as a user, typically the user 'apache'. Therefore any directory that phpWebSite writes to needs to be flagged as writable for the that user. NOTE: This has not changed from version 0.8.x - this is all about web servers and file systems! The workaround for this in 0.8.x if you did not have root access via the shell was to flag the image directories 777 (writable by everyone) so the web server could write the image files. The more secure recommendation in the 0.8.x versions was to have the image directories be flagged as writable by the user 'apache' only. The point here is that the issue here is all about directory permissions and the fact that whenever phpWebSite does *anything* it is acting as the user that the web server runs as - typically the user 'apache' or 'nobody'. This has not changed from 0.8.x. 0.9.x does more 'neat' things that require that the web server have rights to write to the file system. The shell scripts exist (in root and non-root versions I might add) to make flagging these permissions easier. In cases where flagging a directory with liberal rights is potentially problematic we have gone out of our way (as Matt pointed out) to accommodate those who cannot flag these permissions. In case such as the config file the file can be uploaded via ftp since the web server need only to have read rights. A small inconvenience. It should also be noted that the above is true for *ANY* PHP script. The script runs and acts as the user under which the web server runs. *Any* time ANY script interacts with the file system these permission issues exist. Thanks, Brian -- Brian W. Brown Director, Electronic Student Services Room 269, John Thomas Hall Appalachian State University Boone, NC 28608 vox: 828-262-7124 http://ess.appstate.edu/ http://phpwebsite.appatate.edu/ |
|
From: Jeremy A. <ja...@tu...> - 2003-02-18 19:46:43
|
Well I'm not going to beat this to death but i would also like to point this out. You can simply have the admin of your server run the "./secure_phpws.sh run" file to make you site as secure as it can be. Because really what admin will want 777 dirs over webserver owned stuff. he/she will simply do a cat on the shell to make sure it is ok to run as root then run it. About 1-2 minutes tops. This is what admins do, and this is also what you pay for! -- Jeremy Agee phpWebSite Development Team (http://phpwebsite.appstate.edu) Appalachian State University SF.net id: jagee or 94756 |
|
From: Mike N. <mh...@us...> - 2003-02-16 23:39:27
|
On Sun, 2003-02-16 at 14:08, Geoff Staples wrote:
> There are two scripts. But, they both require shell access which many
> people don't have.
Geoff,
PhpWebSite has always required shell access to install. I think this is
a fairly standard requirement for installing a CMS.
c m s I n f o . o r g
http://www.cmsinfo.org/
> Yes, I did look at security.txt. Here's the relevant portion (which I
> quoted in my post):
<snip>
> As I mentioned, there is user, owner, and group read, write, and
> execute. I looked at the shell script and it appears that these items
> should be set to 777 (read, write, execute access for everyone). But,
> even though that's what the shell script says, that doesn't seem right
> to me.
It is if you don't have root access, or know someone (hosting admin)
that does.
Note: only a few directories and on file are given world writable
settings using the NONROOT_secure_phpws.sh.
chmod 777 ../.htaccess
chmod -R 777 ../images/
chmod 777 ../conf/branch/
--
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
|
|
From: Eloi G. <el...@re...> - 2003-02-17 15:17:41
|
Strange. I stopped changing file permissions with the rc3 & rc4 installations. All Files have the default 755 setting. I haven't had a problem yet. Php Version: 4.2.2 Web Server: Apache 1.3.26 Operating System: Apache/1.3.26 SQL Server: MySQL 3.23.49 Everything installs/uninstalls OK Images upload OK |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X