Jump to content

chmod 777 too harsh


Recommended Posts

the installation script mandates that configuration.php and templates_c/ be chmod'ed to 0777. this is too harsh and not required in some environments, as well as insecure. Some environments only require 06xx or 066x for files and 07xx or 077x for directories.

 

Instead of requiring that exact permission value, the installation script could instead test files/dirs with is_writable() and friends.

Link to comment
Share on other sites

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

Link to comment
Share on other sites

  • WHMCS CEO
it doesnt require 777. It just requires that the files/folders are writable.

MACscr is correct. It only requires the directory to be writeable by the script. Doesn't matter what you CHMOD it to.

 

Matt

Link to comment
Share on other sites

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

 

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

Link to comment
Share on other sites

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

 

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

 

Is WHMCS that vulnerable when installed on a shared server? I didn't realize you shouldn't install it on a shared server.

Link to comment
Share on other sites

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

 

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

 

Is WHMCS that vulnerable when installed on a shared server? I didn't realize you shouldn't install it on a shared server.

 

No, i didnt mean that. its just that a site in general is more vulnerable when its shared with other users. Think about it, what if a users phpbb2 forum was hacked on your server and it gave them access to the entire server. That means that all your clients information could be used for all kinds of evil purposes. This is just my opinion though.

Link to comment
Share on other sites

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

Commercial reality for most WHMCS customers is that they're small companies - getting a dedicated server just for WHMCS simply isn't an option. The reality is that 90% of WHMCS installed base, or more, would be running on shared servers. And frankly, if you're running phpsuexec or suphp it's just not necessary to run it standalone.

 

I do agree though, that you should never run it on a shared server without protection.

 

And, of course, mod_security and CSF are must-haves as they give a whole new world of protection.

Link to comment
Share on other sites

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

Commercial reality for most WHMCS customers is that they're small companies - getting a dedicated server just for WHMCS simply isn't an option. The reality is that 90% of WHMCS installed base, or more, would be running on shared servers. And frankly, if you're running phpsuexec or suphp it's just not necessary to run it standalone.

 

I do agree though, that you should never run it on a shared server without protection.

 

And, of course, mod_security and CSF are must-haves as they give a whole new world of protection.

 

how you have php configured has nothing to do with mysql and only partly to do with hacking a server that your already on. phpsuexec only protects your php files from other users on the server, but actually increases your risk to outside users over mod_php.

 

I do completely agree that a dedicated server just for a company site is possible for everyone, but having a small vps is definitely an option for small web hosts and while not perfect, its a huge improvement over a shared hosting environment. If your trying to run a full fledge hosting company that actually requires a billing solution, then i dont see how a $20 or $30 vps isnt possible.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated