Author Topic: Step 2, writeable, & security risks?  (Read 5035 times)

editfish

  • Jr. Member
  • **
  • Posts: 66
    • View Profile
Step 2, writeable, & security risks?
« on: September 12, 2008, 01:01:34 am »
The system check during step 2 of the install went fairly well except for the note that /cache, /upload, /tmp were not writeable.  The install would not continue until I chmodded them all to 777.  How can I minimize the risk to the site through these world writeable directories?

Thanks!

cabeza

  • Administrator
  • Hero Member
  • *****
  • Posts: 1004
    • View Profile
    • Feng Office
Re: Step 2, writeable, & security risks?
« Reply #1 on: September 12, 2008, 11:48:49 am »
Hi editfish ,
  You can chmod them to 755 ... everything should work that way (or else, please let us know).
Thanks,
Marcos

editfish

  • Jr. Member
  • **
  • Posts: 66
    • View Profile
Re: Step 2, writeable, & security risks?
« Reply #2 on: September 12, 2008, 11:03:31 pm »
Thanks, Marcos-

I'm much more comfortable with that.  Can I do the same for /public/files, or should it remain as 777?

cabeza

  • Administrator
  • Hero Member
  • *****
  • Posts: 1004
    • View Profile
    • Feng Office
Re: Step 2, writeable, & security risks?
« Reply #3 on: September 13, 2008, 12:25:34 pm »
Yes, you can.

editfish

  • Jr. Member
  • **
  • Posts: 66
    • View Profile
Re: Step 2, writeable, & security risks?
« Reply #4 on: September 15, 2008, 12:32:16 am »
ERROR-

I chmodded /cache and /public/files to 755 as previously discussed, and things worked fine until I attempted to update user avatars (while logged in with full admin privileges):

---excerpt from log.php----------------------------------------------------------------------------

Session "default" started at 2008-09-15T03:15:43+0000
#1 ERROR: Error: imagepng() [<a href='function.imagepng'>function.imagepng</a>]: Unable to open '/home/tinwdub4/public_html/opengoo/cache/646b80e31398ecc22f64e5cc5c5502ad54893fba' for writing: Permission denied in '/home/tinwdub4/public_html/opengoo/library/simplegd/classes/SimpleGdImage.class.php' on line 183 (error code: 2)
#2 ERROR: Error: Undefined variable: public_filename in '/home/tinwdub4/public_html/opengoo/application/models/users/User.class.php' on line 561 (error code: 8)
#3 ERROR: Error: unlink(/home/tinwdub4/public_html/opengoo/cache/646b80e31398ecc22f64e5cc5c5502ad54893fba) [<a href='function.unlink'>function.unlink</a>]: No such file or directory in '/home/tinwdub4/public_html/opengoo/application/models/users/User.class.php' on line 564 (error code: 2)
Time since start: 0.11425113678 seconds
-------------------------------------------------------------------------------

Session "default" started at 2008-09-15T03:20:27+0000
#1 ERROR: Error: copy(/home/tinwdub4/public_html/opengoo/public/files/35afcc4bc940feeb1ad270ccfae49f348d28b04b.png) [<a href='function.copy'>function.copy</a>]: failed to open stream: Permission denied in '/home/tinwdub4/public_html/opengoo/application/models/PublicFiles.class.php' on line 39 (error code: 2)
Time since start: 0.184986829758 seconds
-------------------------------------------------------------------------------

After chmod these two directories back to 777 avatar update executed without a problem.

I'm not really comfortable leaving those directories world-writeable.  Why is a legitimate opengoo user (as included in the MySQL database) not permitted to write to this directory? 

Sorry for the idiocy.

« Last Edit: September 15, 2008, 12:51:06 am by editfish »

cabeza

  • Administrator
  • Hero Member
  • *****
  • Posts: 1004
    • View Profile
    • Feng Office
Re: Step 2, writeable, & security risks?
« Reply #5 on: September 15, 2008, 12:12:42 pm »
FileSystem users are totally independent from OpenGoo users.
The truth is that they are used for different purposes. Integration between them could be desirable, but it is not implemented yet.
Marcos

editfish

  • Jr. Member
  • **
  • Posts: 66
    • View Profile
Re: Step 2, writeable, & security risks?
« Reply #6 on: September 15, 2008, 10:56:41 pm »
Gotcha.  Thanks for the clarification.  I was misunderstanding the level of integration of opengoo with the filesystem.

miguipda

  • Newbie
  • *
  • Posts: 14
    • View Profile
Re: Step 2, writeable, & security risks?
« Reply #7 on: August 27, 2009, 04:26:15 am »
Hi,

Perfect it works...

Have a nice day,

Miguipda ;-)