Introduce yourself here! In order to avoid spam, new users must first comment on the discussion in the 'Introductions' before they become 'full members'
Permissions
  • I've done some testing and have discovered that only the fp-content directory needs permissisons of 0777 and that by default Flatpress can write 0755 and 0644 by default inside the directory just fine so the permissions settings in defaults.php should be changed to 0755 and 0644 for security as writing inside the directory at 0777 is not necessary.  I'm curious as to why this choice was made to read and write globally by default.  I haven't done it yet but I imagine that the fp-content directory could be created dynamically during setup and chmodded accordingly to keep things as simple as possible for the user.
  • I've managed to get this working on the very first release of Flatpress that I've been playing with.  Was easy to implement for linux and I have no interest in windows support so I didn't even bother testing that way.  Simple to implement and now I'm wondering why this hasn't been done to date.  No need to bother the user with install instructions other than  filling in the form fields for the required data.
  • under many shared hosts, the webserver user and the ftp user do not match; thus, unless the permissions are 0777 for both, it is not possible to download/backup/read the files that the web process writes using an ftp access. Besides, security in this context is not that much of a concern, considering most shared hosts (where FlatPress usually runs) are chrooted environments.
  • I've been on several shared hosts over the years and have never had problems of this nature before.  If the hosting permissions and ownership are set up the right way this would cause no issues or problems whatsoever even on the free hosts.  It seems to me that the issue would be one of bad hosting and in my opinion the permissions should never be set to 777 recursively as it would cause an issue with code injection and the contents of the blogs users files being available as world writable.  I haven't tested any of this as I'm not a security expert by any means but I'm sure if I did that the files could be messed without any significant effort.  I see no problem with the content directory being world writable as long as the subdirectories and files are chmod 755 and 644 respectively which is how I tested.  The host I tested this on has the ftp user as me and the server user as nobody so I don't see how this would be any different for anyone else other than a grossly misconfigured server which would probably not be supported by anyone's software when it came to tech support.
Start a New Discussion

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion