Page Index Toggle Pages: 1
Topic Tools
Normal Topic Xnoddyx's 'Excellent Answer' (Read 1,123 times)
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,980
Location: Land of the Blazing Sun!

YaBB 2.6.1
Xnoddyx's 'Excellent Answer'
Nov 7th, 2012 at 4:02pm
Post Tools
Backgound - I am running a Support Quiz - the objective is to analyze and learn the CHMOD tool (as in what are the optimal settings for YaBB files)

Xnoddyx submitted a close to correct anwser 1st. I gave it an '8 out of 10'

Here was his second response:
Quote:
lol Ok How about

website owner day 1-3 setup and testing new website.
website owner day 4-5 fine tuning website and look.
website owner day 6-7 users on website and website owner checking error log.
website owner day 8-12 takes time off from this website to work on new project.

hacker/user on host day 4-5 oooo i have full access to your website
hacker/user on host day 6-7 copy's files off host and edit's them
hacker/user on host day 8-9 check's for if owner has been on and check's files modified from date of download
hacker/user on host day 10 uploads edited file's and lock's owner out

website owner day 13 check's website logs sees unknown entries and looks at his website the website of cute and cuddly puppy have going replaced with click here for XXXX porn and and pop-up paradise
website owner tries to upload his website getting FTP error 532 "Need account for storing files." "Logged in user does not have permission to store files on remote server."

is that any good ?  Grin


Too funny, thanks
Cheesy
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
The Boy
Full Member
***
Offline



Posts: 345
Location: UK
Re: Xnoddyx's 'Excellent Answer'
Reply #1 - Nov 9th, 2012 at 4:27pm
Post Tools
To answer the question, though, if apache (or whatever) runs under the same account as the file owner:

.pl files, 500
Any R/O text files (help, language, images), 400
R/W files (things in Members and Messages), 600
Settings.pl - I always permissioned this to stop any fiddling by co-admins Roll Eyes

Obviously, if apache (or whatever httpd service) is in same group, but different account, above would be
550
440
660

If you realy on World to run stuff:
555
444
666  <<< less than ideal, so only if absolutely necessary!! Moreso on shared servers.

or
505
404
606  <<< same as above!

I know its easier to make the Owner (or group) have write perms, but this can give the badies a vector to play silly beggers.

(Above for *nix, but principle applies to NTFS perms in Windoze)
  
Back to top
WWW  
IP Logged
 
The Boy
Full Member
***
Offline



Posts: 345
Location: UK
Re: Xnoddyx's 'Excellent Answer'
Reply #2 - Nov 9th, 2012 at 4:28pm
Post Tools
I should add, I am a massive believer in minimum permissions.

And, yes, I do run my Windows desktop as a non-Administrative user!!
  
Back to top
WWW  
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,980
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Xnoddyx's 'Excellent Answer'
Reply #3 - Nov 13th, 2012 at 3:17pm
Post Tools
I should note this topic is a tiny bit out of context.

This discussion really is mostly relevant (although it is a good learning tool) to those with Linux/Unix servers they control (self-hosters, VPS or Dedicated servers). Those on shared hosting should consult with their hosts before moving away from YaBB's recommended settings, with one possible exception - the 'Other' permission (third position)

Lets take an executable (lile a .pl file)
755 - User  7 [all rights] (RWE) User Principal Group 5 RE (read execute) Others 5 RE (read execute) - IN theory, a properly set up server should not need ANY rights for 'Others'.  So it cold be '750' just as easily.  The '0' value in the Others position is something even shared host users could test.

A tool I use to explain:
http://www.onlineconversion.com/html_chmod_calculator.htm

This thread is derived from this ServerSide topic:
http://www.yabbforum.com/community/YaBB.pl?num=1349980579

Note: not every answer there is vetted, everything in Area 51 is 'you are on your own'.

Good Luck
Wink
« Last Edit: Nov 14th, 2012 at 8:39pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
Bookmarks: del.icio.us Digg Facebook Google Google+ Linked in reddit StumbleUpon Twitter Yahoo
 
  « Board Index ‹ Board  ^Top