chmod 777 too harsh

[sharyanto]

the installation script mandates that configuration.php and templates_c/ be chmod'ed to 0777. this is too harsh and not required in some environments, as well as insecure. Some environments only require 06xx or 066x for files and 07xx or 077x for directories.

 

Instead of requiring that exact permission value, the installation script could instead test files/dirs with is_writable() and friends.

[MACscr]

it doesnt require 777. It just requires that the files/folders are writable.

[brianoz]

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

[Matt]

it doesnt require 777. It just requires that the files/folders are writable.

MACscr is correct. It only requires the directory to be writeable by the script. Doesn't matter what you CHMOD it to.

 

Matt

[MACscr]

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

 

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

[Gears]

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

 

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

 

Is WHMCS that vulnerable when installed on a shared server? I didn't realize you shouldn't install it on a shared server.

[MACscr]

This actually is a good point that occurred to me too. If the server is running phpsuexec or the later suphp, no special permission is needed on the directory as write access is already available.

 

If the server is NOT running phpsuexec/suphp, you should NOT be running your WHMCS install on it, unless you want your WHMCS to be open for all.

 

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

 

Is WHMCS that vulnerable when installed on a shared server? I didn't realize you shouldn't install it on a shared server.

 

No, i didnt mean that. its just that a site in general is more vulnerable when its shared with other users. Think about it, what if a users phpbb2 forum was hacked on your server and it gave them access to the entire server. That means that all your clients information could be used for all kinds of evil purposes. This is just my opinion though.

[Fernis]

Can templates_c be set at 0755 ?

[PPH]

Can templates_c be set at 0755 ?

Depends on your php installation. If you are phpsuexec you can.

[brianoz]

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

Commercial reality for most WHMCS customers is that they're small companies - getting a dedicated server just for WHMCS simply isn't an option. The reality is that 90% of WHMCS installed base, or more, would be running on shared servers. And frankly, if you're running phpsuexec or suphp it's just not necessary to run it standalone.

 

I do agree though, that you should never run it on a shared server without protection.

 

And, of course, mod_security and CSF are must-haves as they give a whole new world of protection.

[MACscr]

You should never ever ever have whmcs installed on a shared server, so the permissions should never really matter.

 

Also, you cant even run 777 on php exec, so its not even an option.

Commercial reality for most WHMCS customers is that they're small companies - getting a dedicated server just for WHMCS simply isn't an option. The reality is that 90% of WHMCS installed base, or more, would be running on shared servers. And frankly, if you're running phpsuexec or suphp it's just not necessary to run it standalone.

 

I do agree though, that you should never run it on a shared server without protection.

 

And, of course, mod_security and CSF are must-haves as they give a whole new world of protection.

 

how you have php configured has nothing to do with mysql and only partly to do with hacking a server that your already on. phpsuexec only protects your php files from other users on the server, but actually increases your risk to outside users over mod_php.

 

I do completely agree that a dedicated server just for a company site is possible for everyone, but having a small vps is definitely an option for small web hosts and while not perfect, its a huge improvement over a shared hosting environment. If your trying to run a full fledge hosting company that actually requires a billing solution, then i dont see how a $20 or $30 vps isnt possible.