Write permissions on files and folders - security risk

[billiebob]

Hi

Are there any security risks with making files and folders in Prestashop write permission? Does it make your website vulnerable to miscellanious attacks etc.

Cheers

[pb4sc]

Hi,
I believe the answer to that is yes. My site got hacked because of permissions. A good rule of thumb is folders 755 and files 644. After I did that, my hacking issues went away.

pb4sc

[Paul C]

If I assume you're on shared hosting, then the extent of the risk will depend on the server configuration. Worst case is that anyone else who has a shared hosting account on the same server will be able to read/write your files at will.

In general you should set file and directory permissions to be as restrictive as possible, while still allowing your store to operate..... the exact permissions you can use will depend on your server configuration.

Remember that files that do not need to be modified during the normal running of the store could be read-only for everyone....

Paul

[leszekem]

set file and directory permissions to be as restrictive as possible, while still allowing your store to operate..
what folders and files? you can write something more about it? This sounds like a serious problem.
Thank you for your reply

[Dave L]

Similar issue if I may cut in.

I'm doing some FO Language translations for modules. The process is held up because of the language file permissions which need to be CMOD 777.

Thats an awful lot of files in an awful lot of modules to change the permissions on.

How would security be affected id 'all' module directories, sub-directories and files. It would be so much easier to change the CMOD to 777 on them all.

Thanks.

[pb4sc]

Filezilla allows you to change a folder, and all sub folders. It is alot quicker than one by one in cpanels file manager.

pb4sc

[Dave L]

Filezilla allows you to change a folder, and all sub folders. It is alot quicker than one by one in cpanels file manager.

pb4sc

Agreed.

I use Filezilla. The problem I had was changing the permissions of only the language files from 644 to 777 in each module, and there's lot of them.

In the end I just changed 'all' files in 'all' modules to 777, did the module translations and than changed them all back again. Still a bit time consuming, even with Filezilla.

[davers44]

Even a single file or folder with 777 is "potential" dangerous. I had bad experiences even with wordpress on previous hosters. I know that with some hoster you can't use prestashop without letting something set at 777, especially directory with smarty compiler files.

A safely configured shared hoster will not even allow you to set a public 777, you should get a better shared server with installed suPHP or suEXEC (or ask your hoster to install them). Such extenstions see you as "owner" once you install the scripts so they run smoothly without need to set anything with public permissions.

[eplaku]

I just checked with my host provider and they told me that the suExec ans suPHP are installed and the host recognizes me as the user. However, PrestaShop continues to ask that I set several folders to 777. Is that normal? Anyone know about this?