1
eireann
CHMOD question
  • 2008/10/3 1:05

  • eireann

  • Just popping in

  • Posts: 89

  • Since: 2008/8/21


Recently my mainpage was hacked and the host company advised not to use insecure CHMOD settings like 777 or 755

If I set my portal to something less than 755 then it doent work.

Now the question.
To what should the XOOPS files and subdirectories be CHMODED so that they will still work and that crooks dont have an easy time getting in.

BTW: I have yesterday moved all files containing passwords and database access names like mainfile.php out of the public_HTML area.

2
DarinAllan
Re: CHMOD question

I am pretty sure that mainfile.php should be in the root of your site (is with mine) and permissions should be set to 444, *most* other *files are 644 and *folders are generally 755 with only a couple of exceptions being 777, they were the cache folder and templates_c folder.

Sometimes with my host I don't seem to able able to change file permissions from Filezilla (FTP program) I need to go into CPanel and change permissions from there, but that's with my host, it may not be the same with yours.

Cheers ;o)

3
ghia
Re: CHMOD question
  • 2008/10/3 6:57

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Sometimes with my host I don't seem to able able to change file permissions from Filezilla (FTP program) I need to go into CPanel and change permissions from there, but that's with my host, it may not be the same with yours.
This would mean you use different user credentials to log on in with FTP and cPanel, or your hoster differentiates this. In that case file ownership and permissions decide if the chmod is allowed or not. When files or folders are created by Apache (php), it may be that you can not change it from cPanel or FTP. It has to be changed then with a File manager from within XOOPS, altough I had once with some folders from Formulaire, which appeared unchangable that I had to open a ticket for it.

4
eireann
Re: CHMOD question
  • 2008/10/3 7:15

  • eireann

  • Just popping in

  • Posts: 89

  • Since: 2008/8/21


Thanks for the info.

I always use IE to enter the FTP area.
Then I rightclick ...Properties...and that gives me the permissions which can be changed at the same time.


For the mainfile.php:
Well, its still there but I have removed all its content.
Then I have defined a XOOPS_TRUST_PATH which is outside of the public_html area.
The data from inside the mainfile are in a different file inside the XOOPS_TRUST_PATH and are included when the mainfile.php is included.

Now, if someone hacks into my public_html, there are nowhere passwords or database names to be found.

5
DarinAllan
Re: CHMOD question

@ Ghia thanks for the info, it's really only the mainfile.php that I have to adjust in CPanel file manager, I guess cos it's 444 I spose, anyway I will look into what you have said.

@ eireann Interesting!

Cheers ;o)

6
ghia
Re: CHMOD question
  • 2008/10/3 7:58

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Now, if someone hacks into my public_html, there are nowhere passwords or database names to be found.
If the hack means uploading php code to your site, then the hacker has all read abilities of XOOPS, what would stop him from reading your passwords?

7
eireann
Re: CHMOD question
  • 2008/10/4 0:36

  • eireann

  • Just popping in

  • Posts: 89

  • Since: 2008/8/21


Well,
when I installed Webphoto I had propblems because I didnt understand the issue with that XOOPS_TRUST_PATH.

Here in this forum they explained to me that by using the XOOPS_TRUST_PATH people can make the site more safe and prevent hackers from getting sensitive data.

Now you tell me its all not true?



Login

Who's Online

353 user(s) are online (260 user(s) are browsing Support Forums)


Members: 0


Guests: 353


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits