PunBB Forums - pun_repository security

Re: pun_repository security

dummy@example.com (Parpalak) — Thu, 25 Jun 2009 12:35:12 +0000

When we developed pun_repository we faced an issue. If a user has only FTP access he can't delete an extension directory created via pun_repository. We decided to set permissions to 0777 to avoid this issue.

Re: pun_repository security

dummy@example.com (MattF) — Thu, 25 Jun 2009 11:53:06 +0000

Parpalak wrote:

The permissions for the "cache" directory should be 0777 too. This directory contains executable PHP code. So pun_repository isn't less secure than the whole forum.

Those directories only need to be writable for the httpd user, not everyone.

Re: pun_repository security

dummy@example.com (Parpalak) — Thu, 25 Jun 2009 11:23:27 +0000

The permissions for the "cache" directory should be 0777 too. This directory contains executable PHP code. So pun_repository isn't less secure than the whole forum.

Re: pun_repository security

dummy@example.com (bejo) — Sun, 14 Jun 2009 06:57:09 +0000

yeah, we should manualy chmod from cpanel,,, , ,maybe it should automatic chmod after instalation of extension,,,

pun_repository security

dummy@example.com (ingram) — Sat, 13 Jun 2009 20:16:17 +0000

In my opinion the phrase...

NOTE! Web server's system user will be set as an owner of the files and directories created while extension downloading and installation. Access mode for directories created will be set to 0777.

...isn't secure enough. It would be better idea to set it to 0755 (system user can do read,write,execute and all others just read and execute)

The reason why I'm asking this, is because i'm getting attacked by outside world repeatedly and my outdated pun_pm got hijacked by somebody and that made me to worry about others: the reason was the nasty chmod 777.