Guest Posted November 23, 2009 Share Posted November 23, 2009 Because my customer has been hacked in directory temp, I try to follow up the rules of Spooks. So far I understood to prevent 777 as follows (in the admin you are a user just like a visitor in your shop, but using FTP you are the owner so 755 is enough for writing to directories as an owner): - don't use cache (otherwise you need 777 for the cache dir) - don't write sessions to a dir (otherwise you need 777) - replace images upload fields in categories and manufacturers with normal input fields for the names of pictures only, upload them with FTP (and faster too) - don't use the backup in admin (otherwise you need 777 for the backup dir), use the export function in your phpmyadmin for backing up of the mysql database - avoid using temp or tmp or a directory for temporary objects - use always FTP to place objects in a directory if needed (e.g. banners, backups etc.) Right ? (I could not change the header because it is "did I understand this right" :) ) Link to comment Share on other sites More sharing options...
web-project Posted November 23, 2009 Share Posted November 23, 2009 Normally on the server 755 the permission to execute the script at the same time this permission allow for web server to work with files and in most cases working as 777 but the folders are secured as no one from outside can't upload images or script to hack your oscommerce. Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here! 8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself. Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues. Any issues with oscommerce, I am here to help you. Link to comment Share on other sites More sharing options...
Guest Posted November 23, 2009 Share Posted November 23, 2009 Because my customer has been hacked in directory temp, I try to follow up the rules of Spooks. So far I understood to prevent 777 as follows (in the admin you are a user just like a visitor in your shop, but using FTP you are the owner so 755 is enough for writing to directories as an owner): - don't use cache (otherwise you need 777 for the cache dir) - don't write sessions to a dir (otherwise you need 777) - replace images upload fields in categories and manufacturers with normal input fields for the names of pictures only, upload them with FTP (and faster too) - don't use the backup in admin (otherwise you need 777 for the backup dir), use the export function in your phpmyadmin for backing up of the mysql database - avoid using temp or tmp or a directory for temporary objects - use always FTP to place objects in a directory if needed (e.g. banners, backups etc.) Right ? (I could not change the header because it is "did I understand this right" :) ) I have read so many topics about this, but the most answers are too confusing for me (I think not only for me but the most are giving up I think in the discussion because of the short unclear answers) e.g. it would be easy to put pressure on your host, forget it ... or simply move to another host ... So I think my question is very clear about this topic and hopefully answered clear, so this topic can be usefull for all of us. So I ask here a clear answer where everybody could work with it (su .. etc. are not solutions for an average webshop owner). I think when you prevent simply by changing your programs to use 777, is the most simple sulotion on every host (for now)! So I am very curious about comments concerning this ... please no short unclear answers (short and clear is ok :) ) otherwise this will be again a topic about this subject where you don't find clear answers ... Link to comment Share on other sites More sharing options...
Guest Posted November 23, 2009 Share Posted November 23, 2009 Normally on the server 755 the permission to execute the script at the same time this permission allow for web server to work with files and in most cases working as 777 but the folders are secured as no one from outside can't upload images or script to hack your oscommerce. Thanks Alex, but with 755 you can't upload images to your folder in admin because fopen() (php) has not enough autorisation in that case. So my answer would be in that case, upload your images with FTP and fill in only names in your programs like categories.php and manufacturers.php and don't start an endless communication with your host with many clients (you loose) if you want to solve this quick and safe for yourself. Link to comment Share on other sites More sharing options...
Jack_mcs Posted November 23, 2009 Share Posted November 23, 2009 You're trying to fix something that is broken on the server. The settings on the server determine the permissions to use. They are, in your case it seems, set to allow using 777. While your changes may work, what if you miss one? Doing it your way puts more responsibility on you and adds another job for you as a shop owner. If your host only allowed 755 in the first place, it would free yourself up for running the shop. Asking your host to change that is, in my experience, useless, since most will not do so. The only alternative is to change hosts and, in this case, it would be the only right decision. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
♥FWR Media Posted November 23, 2009 Share Posted November 23, 2009 Yes if you are with a bucket host (loads on the same server) you have little option but to take the slow root of php as a cgi and suphp/phpsuexec you will need maximum permissions to be 0755. If you have your own server or a VPS happily you can dump all this and run php as a module, far far faster. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted November 23, 2009 Share Posted November 23, 2009 You're trying to fix something that is broken on the server. The settings on the server determine the permissions to use. They are, in your case it seems, set to allow using 777. While your changes may work, what if you miss one? Doing it your way puts more responsibility on you and adds another job for you as a shop owner. If your host only allowed 755 in the first place, it would free yourself up for running the shop. Asking your host to change that is, in my experience, useless, since most will not do so. The only alternative is to change hosts and, in this case, it would be the only right decision. Hi Jack of the many very usefull contributions (thanks), so you think the best solution is to ask your host to install the su.. programs on their server (but not easy I read, the settings, so the average hoster have not the knowledge I guess) so 755 would work work as 777 but somebody from outside could not get into your folders, only a program running on your server would see 755 as 777, and because your folders are protected with 755, a hacker could not place direct programs in it also to run it with 777 authorisations in that program. Right ? But my clients were moved already to another better provider (not bad) so if he/she is not willing to, I have to do my changes (but creating thumbnails in your programs give the same problem, it needs also a 777 directory in my case). I go to ask my provider and will tell what happen in this forum ... Link to comment Share on other sites More sharing options...
Jack_mcs Posted November 23, 2009 Share Posted November 23, 2009 your server would see 755 as 777, and because your folders are protected with 755, a hacker could not place direct programs in it also to run it with 777 authorisations in that program. Right ? No, it depends on how the hacker has gained access. There is a vulnerability due to the filemanager script in admin that allows the hackers to edit all existing files and to place new files on the server, even if the permissions are 755. But under normal conditions, a hacker won't be able to make the changes he could if the permissions are 755 instead of 777. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Mort-lemur Posted November 23, 2009 Share Posted November 23, 2009 Hi, Just to add a bit from my recent discussions with my host on this, his response was: WE do not currently use PHPSuExec and as such you will have to change the permissions to 777. To say that this means PHP is installed the wrong way would suggest that over 50% of servers on the Internet have PHP installed incorrectly. so much for their help...... Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
web-project Posted November 23, 2009 Share Posted November 23, 2009 Thanks Alex, but with 755 you can't upload images to your folder in admin because fopen() (php) has not enough autorisation in that case. with suphp/phpsuexec (very strict and secure as PHP run using user instead of nobody or server) working on few of my servers with permission 0755, never had the fopen() problem. Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here! 8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself. Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues. Any issues with oscommerce, I am here to help you. Link to comment Share on other sites More sharing options...
Guest Posted November 24, 2009 Share Posted November 24, 2009 Good news (for me). My provider (a good one) had already a new server with suphp/phpsuexec implemented. On my request the most urgent webstore was moved to that server, and indeed directories have all a maximum of 755 and programs are running now under the owner (so objects e.g. images can be added to directories with 755). So visitors of your webstore or yourself logged into admin have all the same rights (maximum 755, in fact the 5 is applicable for you) but the programs are running under the owner (the first 7) and has all rights to do all inside the program. Before a program was running under the rights of a visitor (in xxx the second and third position e.g. in 777 the second or third position), so a 7 was needed to add an image to a directory from a program. :) Thanks to everybody who helped me in the forums (not always direct) to understand and hopefully it has explained now clearly to others, otherwise ask a question .. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.