erm .. putting an index.html in /templates_c with javascript -1 wouldn't allow direct access there?

stupid michael?

Quote:
Not stupid, but it will not stop the malicious users (who have write access on the server) from hijacking the compiled templates (that smarty reads to build the pages) to include the virus codes. It only helps to block people from viewing the folder contents.

Herko

Quote:
Absolutely right, Michael.

Herko

What's that you say? LazyBadger is once again throwing around confrontational and offensive accusations towards community members actually trying to make a difference for the better without having a shred of evidence? No, I don't beleive it ...

@StudioC

I beleive you are correct Michael, and the cache dir would also need to be writable. I think There are also serveral modules with their own upload folders that would also need this.

Quote:
Hmmm... One hint for you: "Don’t trouble trouble till trouble troubles you". Providing, Hosting, Networing is my business in different aspects, not your or Scalpa's. Before repeating spmething, that you can't grok, better to ask qualified explanation from proffessional (maybe you'll even get it free)

Wel, go to facts...it will be long "quoting-answer" story...
Quote:All ordinary shared hostings use one instance of process Apache, otherwise it's called "VDS" - Virual Dedicated Servers - in singehost
Quote:
Yes, but "What???" One httpd-process for all supported sites, under any user rights isn't a problem at all. One apache for each client is... hmmm... not low-cost solution. and give small advantages and huge set of headaches.

Quote:
Only if we speak about (in our case) PHP as Apache's module, which works with Apache privileges... And it is totally incorrect if
- PHP used as CGI (I hate this solution)
- PHP's cgi is suexec'ed

Quote:
Delirium - it NEVER means "world writable"... it means "Apache process must have rights to write in some physical location" and NOTHING more

Quote:
Small introduction into real multiuser systems and multilevel rights concept for you.

In case of some unrelated areas, which can be handled by different independent users we can't (due to privacy and security reasons) allow all our customers work as single local user, thus - every customer is at least one users with own environment, home, rights. Second problem is (for us) is ability to interact every this user with some backside power (also independent user in terms of our system) and possibilities to share some rigths for results of work man and daemon (see some string above - both have own rigths, we are in trouble "how to share"). But we can do it... We must know, that
- every object (with some level of iteration) have 2-level of ownership - owner and group, every user (except of fact it's user) also is member of at least one union - group, and if we can integrate rights on minimalistic level (owner), we can expand it to next level - user's group... this way more than one user can get same rights on some object (file)....

Okay, what we see as result of our tour? We can in most cases
- include users ( with FTP or SSH access) into the same group, under which operate apache-process owner on our host
- make user (customer's users) owner of all his files on site
- give group write access only to files-directories, which (can|have to) be changed by apache user
- create jail for all customer's users (they can't move up on tree outside own home, which contain site and... nothing more)
WHERE you, Herko-Scalpa-other , see mandatory requirements to write access to World (any process)???
Quote:

Now, what happens is that all the websites that run on the same shared server, run under this "apache" user... So where you give write access to apache, you're giving write access to EVERY malicious user sharing the same server.

Never say "user"... every process on this host, and only if lame configuration was created and used... as I shown above... And it's good - principle LMD-DML in action

Quote:

Now, is this a XOOPS problem or not? I say no

Agree, but for different reasons... Lamers is problem - everywhere for everybody...

Quote:

The solution to this is to have each site run under a different apache user, using suexec.

You are naive dreamer... 100-200-500 addintional apache processes?! Will you pay for it? Do you ready to pay for such hosting VDS cost?

Quote:

So there you have it, the complete motivation for that single line you quoted.

Full of errors, misinterpretation, just missing logic sometimes

Quote:

I hope it will help people deal with this problem and communicate it with their hosting providers.

I hope I shown to all real situation and absence good low-cost solution

OK, enough for today... I spent more time than I can at this learning course for the thankless listeners

you could have said all that in the 1st place, instead of just calling herko a liar without any explanation or evidence..

as been mentioned b4 LB, just be civil will you for cryin out loud.. all you seem to do is accuse herko or skalpa or any1 of lying or exagerating etc, and you only then give your reasons when they retaliate to your accusation..

instead of a direct confrontation approach of calling them liars, y not use a civil and tactful approach and say something like "that's not entirely accurate, here's an explanation"?? or is that just too hard to do..

if you can't be bothered to explain in the 1st place, then don't bother posting or replying with confrontational remarks.

@LB: You're technically right, but are missing the point.

Quote:

Well, that's exactly what we're speaking of right now. The problems is that some "profesionnals" offer solutions with:
- No suexec
- Safe mode off
- No open_basedir or any similar restriction

Quote:
That's where the problem is... if there is no "jail", then giving group (and thus: apache) write access means you give any other customer write access: you're still f*$=d up.

Quote:
lol
It's just about the way you speak man... "Lie or stupidity..." is not very educative. Maybe having told what you think would have prevented several people to have to waste time here: maybe Herko was wrong when he orginally told that giving write-access to apache meant xx7, but again: on bad configs, without the correct restrictions, whatever mean you choose to enable apache to write (whether it's group or world or your sister in shorts) has the same result: it's deeply insecure.

skalpa.>

Addressed to m0nty only:

Did I publish request on "personal mentor"???
Don't say me what I have to do, and I will not say, where you can jostle your recommendations.
You know, what is FREEDOM?
Freedom to have own opinion...
Freedom to freedom to manifest own opinion...
Freedom of choice...
Freedom to listen and freedom don't listen...

I'm tired your dry moralisms and the need of explaining simple things to people, which left the teenage period...

The following quote is commonly misattributed to Voltaire:

I do not agree with a word you say but will defend to the death your right to say it.

It was actually first used by Evelyn Beatrice Hall, writing under the pseudonym of Stephen G. Tallentyre in The Friends of Voltaire (1906), as a summation of Voltaire's attitude, based on statements in Essay on Tolerance where he asserts: "Think for yourselves and let others enjoy the privelege to do so too".

Complete freedom leads to null-freedom.

Man, off-topic too much.

Time back to the topic itself.

Quote:
Can you see rest of topic here?

Host (with XOOPS site) was hacked, files (all HTML on host, I think) was infected and WILL be infected again. Cure template_c is temporary and short-time solution... host must be downed and
- source of problem must identified and removed
- system reinstalled (compromised system haven't rights to live)
- data restored

You try to close my mouth being covered by deviation from the theme of the forum? Well lets continue this speech in XOOPS.org Members Lounge, when all forums overloaded by empty offtopic chat and moders work as Censors instead of moders