750 and 640
37 views
Skip to first unread message
john kirby
Apr 28, 2016, 5:43:04 PM4/28/16
to Joomla! General Development
Hey,
I was talking with a developer who isn't familiar with Joomla but is very well versed in security practices.
I mentioned that currently our sites have 755 for directory privs and 644 for files. He asked why we weren't using 750 and 640. Offhand I don't have a good answer for that. In my case, I'm using php-fpm so I can control what *nix user is running each site. The owners of the processes and the files completely line up. Should work just fine.
Looking at the joomla recommendations: "Depending on the security configuration of your Web server the recommended default permissions of 755 for directories and 644 for files should be reasonably secure."
Seems like 750 and 640 is just tightening it up a bit more than "should be reasonably secure"
My question is - is there anything I'm not thinking of that would shoot this down? Obviously, our sites would still need to be tested with this fundamental a change but I can't think of anything initially that shoots this down. Ownership of the processes and files should be overridden by anything within Joomla or its extensions.
Thanks
I was talking with a developer who isn't familiar with Joomla but is very well versed in security practices.
I mentioned that currently our sites have 755 for directory privs and 644 for files. He asked why we weren't using 750 and 640. Offhand I don't have a good answer for that. In my case, I'm using php-fpm so I can control what *nix user is running each site. The owners of the processes and the files completely line up. Should work just fine.
Looking at the joomla recommendations: "Depending on the security configuration of your Web server the recommended default permissions of 755 for directories and 644 for files should be reasonably secure."
Seems like 750 and 640 is just tightening it up a bit more than "should be reasonably secure"
My question is - is there anything I'm not thinking of that would shoot this down? Obviously, our sites would still need to be tested with this fundamental a change but I can't think of anything initially that shoots this down. Ownership of the processes and files should be overridden by anything within Joomla or its extensions.
Thanks
Hannes Papenberg
Apr 29, 2016, 3:57:09 AM4/29/16
to joomla-de...@googlegroups.com
There is no real benefit in using 750 or 640 over 755 and 644. Going
that route, you would have to use 500 and 400 to really achieve
additional security. However, we are also lacking infos about your
setup. By several orders of magnitude the most attacks are done through
PHP, not through other attack surfaces (FTP, hacking the hosters
webinterface) and that means that as long as the owner of the files is
also the user of the PHP processes, there is no difference for a hacker
between 777, 755, 750 or 700 for a folder. If the owner of the files is
the FTP user and the PHP user is a different one, but in the same group,
there is also no difference between 755 and 750. If they are not in the
same group, then there is one, but then your site wouldn't work, since
PHP could not read the files.
Long story short: For a default setup, there is nothing that would
prevent you from using 750 and 640, but it also makes no difference at
all either.
Hannes
that route, you would have to use 500 and 400 to really achieve
additional security. However, we are also lacking infos about your
setup. By several orders of magnitude the most attacks are done through
PHP, not through other attack surfaces (FTP, hacking the hosters
webinterface) and that means that as long as the owner of the files is
also the user of the PHP processes, there is no difference for a hacker
between 777, 755, 750 or 700 for a folder. If the owner of the files is
the FTP user and the PHP user is a different one, but in the same group,
there is also no difference between 755 and 750. If they are not in the
same group, then there is one, but then your site wouldn't work, since
PHP could not read the files.
Long story short: For a default setup, there is nothing that would
prevent you from using 750 and 640, but it also makes no difference at
all either.
Hannes
Dietrich Streifert
May 10, 2016, 9:36:08 AM5/10/16
to joomla-de...@googlegroups.com
It may be that an unprivileged user, not being the user php or the
webservers is running as, is able to read sensitive files of your joomla
installation like configuration.php if using 755/644, thus stealing the
credentials to access the db server.
In this case it would help to at least to set configuration.php to 640.
Regards
Dietrich
Am 29.04.2016 um 09:57 schrieb 'Hannes Papenberg' via Joomla! General
Development:
webservers is running as, is able to read sensitive files of your joomla
installation like configuration.php if using 755/644, thus stealing the
credentials to access the db server.
In this case it would help to at least to set configuration.php to 640.
Regards
Dietrich
Am 29.04.2016 um 09:57 schrieb 'Hannes Papenberg' via Joomla! General
Development:
brian teeman
May 10, 2016, 9:42:36 AM5/10/16
to Joomla! General Development
On Tuesday, 10 May 2016 14:36:08 UTC+1, level420 wrote:
It may be that an unprivileged user, not being the user php or the
webservers is running as, is able to read sensitive files of your joomla
installation like configuration.php if using 755/644, thus stealing the
credentials to access the db server.
In this case it would help to at least to set configuration.php to 640.
If anyone is ever in the position to read that file the permissions is the least of your problems
Reply all
Reply to author
Forward
0 new messages