• From: Viljandi, Estonia
  • Registered: 2008-08-16
  • Posts: 29

Topic: pun_repository security

In my opinion the phrase...

NOTE! Web server's system user will be set as an owner of the files and directories created while extension downloading and installation. Access mode for directories created will be set to 0777.

...isn't secure enough. It would be better idea to set it to 0755 (system user can do read,write,execute and all others just read and execute)

The reason why I'm asking this, is because i'm getting attacked by outside world repeatedly and my outdated pun_pm got hijacked by somebody and that made me to worry about others: the reason was the nasty chmod 777.

ingram's Website

2 Reply by bejo

  • bejo
  • Member
  • Offline
  • From: Indonesia
  • Registered: 2009-04-02
  • Posts: 15

Re: pun_repository security

yeah, we should manualy chmod from cpanel,,, big_smile , ,maybe it should automatic chmod after instalation of extension,,, big_smile

http://www.nongkrongonline.co.cc
  • From: Russia
  • Registered: 2008-07-22
  • Posts: 713

Re: pun_repository security

The permissions for the "cache" directory should be 0777 too. This directory contains executable PHP code. So pun_repository isn't less secure than the whole forum.

PunBB team intentions, personal tasks.

Parpalak's Website

4 Reply by MattF

  • MattF
  • Senior Member
  • Offline
  • From: South Yorkshire, England
  • Registered: 2007-03-15
  • Posts: 1,956

Re: pun_repository security

Parpalak wrote:

The permissions for the "cache" directory should be 0777 too. This directory contains executable PHP code. So pun_repository isn't less secure than the whole forum.

Those directories only need to be writable for the httpd user, not everyone.

MattF's Website

  • From: Russia
  • Registered: 2008-07-22
  • Posts: 713

Re: pun_repository security

When we developed pun_repository we faced an issue. If a user has only FTP access he can't delete an extension directory created via pun_repository. We decided to set permissions to 0777 to avoid this issue.

PunBB team intentions, personal tasks.

Parpalak's Website