#209 wrong security directions about mainfile.php permissions

2.2.1
open-remind
minahito
None
5
2012-07-24
2009-03-30
No

CHMOD 444 (allow group access) is a really bad advice for most users. The problem is self-explanatory: in many situations, this method does not protect against attacks from users of the same group. Think about shared hosting users, free hosting users, etc.

Discussion

  • minahito

    minahito - 2009-05-23

    Each hosting server has different settings. So it's difficult to decide the best advice for all users. It's easy to remove the advice as you said. But we should add another advice. I don't know what the best advice is.

    Can you decide it?

     
  • minahito

    minahito - 2009-05-23
    • status: open --> open-remind
     
  • minahito

    minahito - 2009-05-23
    • status: open-remind --> open-later
     
  • minahito

    minahito - 2010-01-17

    Is CHMOD 600 better than CHMOD 444?

     
  • minahito

    minahito - 2010-01-17

    Apache MOD needs CHMOD 404.
    CGI needs CHMOD 400, when the CGI runs with owner-auth. (sys-exec)
    CGI needs CHMOD 404, when the CGI runs without owner-auth. (sys-exec)

     
  • minahito

    minahito - 2010-01-17

    I will ask to someone (Marijuana or GIJOE) in XUGJ or mail.

     
  • minahito

    minahito - 2010-01-17
    • milestone: --> 899284
     
  • minahito

    minahito - 2010-02-11
    • milestone: 899284 --> 1042216
    • assigned_to: nobody --> minahito
    • status: open-later --> open-accepted
     
  • minahito

    minahito - 2010-02-11

    It's difficult to write correctly operations for UNIX/Linux users. I gave
    up replacing wrong advices with correct advices and removed all wrong
    advices about chmod from installer. Now I am going to edit documents under
    the docs directory.

     
  • gigamaster

    gigamaster - 2012-07-24
    • milestone: 1042216 --> 2.2.1
    • status: open-accepted --> open-remind
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks