Announcement

  •  » Requests
  •  » Security: Please do NOT make directories and db access info 777 !!!

#1 2013-08-19 18:24:29

GOPIWI
Member
2013-08-19
27

Security: Please do NOT make directories and db access info 777 !!!

Hi,

I see these directories and subdirectories in there are 777 by default (I downloaded the full installation package):

_data
local
upload

Especially I freaked on seeing the file local/config/database.inc.php not beeing only world readable, what would be bad enough, but also world writeable after the installation process! BIG problem!

Please, guys, piwigo looks really nice, but these are the typical php dev fails from the last decade we are really tired to see!

If you would like to make the install process easy for users and this is the reason for making such sensible information world readable and writable, then you are following a wrong path here: it does not make things more simple for users when you leave them with an easy to exploit set of php scripts on their servers!

Alternative would be to add some chmod to the installation routine or at least add some big red instructions on the screen after installation on how to secure their piwigo install.

The current practice of leaving these files world writable is very dangerous and should be changed asap.

Thanks,
John

Offline

 

#2 2013-08-19 18:48:04

Eric
Piwigo Team
VALENCE (FR)
2005-03-25
1768

Re: Security: Please do NOT make directories and db access info 777 !!!

Hi GOPIWI,

777 access permission on these files / folders don't come from Piwigo package but from a possible misconfiguration of your server. On all my galleries, local/config/database.inc.php is 644 and not 777 !

Please, check your hosting settings to fix this.

Offline

 

#3 2013-08-19 18:48:25

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3271

Re: Security: Please do NOT make directories and db access info 777 !!!

I read everywhere it's a security issue but never heard of an exploit based on this

because when you says "the world", it's actually "the server" (and it's users), so it's very limited
so before you must be granted as authenticated user by the server, this is where is the real security deal

http://www.simplemachines.org/community … pic=2987.0

I admit it's not ideal, but it's NOT a security problem

Offline

 

#4 2013-08-19 19:01:34

GOPIWI
Member
2013-08-19
27

Re: Security: Please do NOT make directories and db access info 777 !!!

Hi Eric,

Eric wrote:

777 access permission on these files / folders don't come from Piwigo package but from a possible misconfiguration of your server. On all my galleries, local/config/database.inc.php is 644 and not 777 !

just do this:

Code:

wget -O piwigo.zip http://piwigo.org/download/dlcounter.php?code=latest
unzip piwigo.zip
ls -l piwigo/local

as you can see, in the distribution package these directories are 777.

Please check, thanks.

Thanks for your attention,
John

Offline

 

#5 2013-08-19 19:12:58

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3271

Re: Security: Please do NOT make directories and db access info 777 !!!

I think Zip doesn't store exec flags
it's 777 because unzip is configured to extract in 777 mode

users with a shared host will always use FTP where chmod is redefined when uploading, users with dedicated servers should know they must define a proper chmod and chown in order to use the software

when using netinstall, files are unzipped by PHP, so if the server is well configured, chmod is 755 for directories and 644 for files

Offline

 

#6 2013-08-19 19:23:52

flop25
Piwigo Team
2006-07-06
6918

Re: Security: Please do NOT make directories and db access info 777 !!!

as already said :
- 777 is not mandatory
- 777 is not a security flaw


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#7 2013-08-19 19:31:43

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3271

Re: Security: Please do NOT make directories and db access info 777 !!!

mistic100 wrote:

I think Zip doesn't store exec flags

actually I'm sure Zip doesn't store exec flags, it's dependant of the filesystem
simple example : Windows, there is not chmod/chown on NTFS filesystem

even if Zip would store chmod you should never rely on, just imagine toworrow I do myself a release of Piwigo, I only have a Windows system, what would be the chmod for Linux users ?

Offline

 

#8 2013-08-19 19:45:24

GOPIWI
Member
2013-08-19
27

Re: Security: Please do NOT make directories and db access info 777 !!!

Hi,

mistic100 wrote:

it's 777 because unzip is configured to extract in 777 mode

how would you configure unzip "to extract in 777 mode" certain directories and others not?

Unzip preserves permissions - as can be seen with the other directories in the distributed zip, which are not 777.

For the "777 not a security problem" - one question for you to meditate about:
why modern multi-user operating systems do have user separation as a built in feature at all?

Hint: shared hosting is a reality. on most linux machines > 1 users / processes are active.

But I certainly do not want to discuss this, I just wanted to indicate that it might be good to double check distributed content and programmatically check permissions at the end of install procedure, like most php developers are doing it nowadays.


Anyway, have a nice day,
John

Offline

 

#9 2013-08-19 19:50:29

GOPIWI
Member
2013-08-19
27

Re: Security: Please do NOT make directories and db access info 777 !!!

mistic100 wrote:

when using netinstall, files are unzipped by PHP, so if the server is well configured, chmod is 755 for directories and 644 for files

so config files with db access info is still world readable?

Two last questions please:

Are you the person responsible in the piwigo team for packaging of the distributed package?

Do you have some dedicated security person on the team?

Thanks,
John

Offline

 

#10 2013-08-19 19:54:02

flop25
Piwigo Team
2006-07-06
6918

Re: Security: Please do NOT make directories and db access info 777 !!!

... like others CMS We didn't invented the wheel

and no one is responsible of anything, just people with different level of access

Pierrick (plg on the forum), the founder, will certainly be happy to discuss that with you. You can contact him


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#11 2016-06-13 02:13:03

potuz
Guest

Re: Security: Please do NOT make directories and db access info 777 !!!

I am now starting with piwigo and just was about to post on the same issue 3 years later. This is indeed a security issue, I do not want any user with shell access to my server to have write acess to these files, this is ridiculous. The same directories are still being packaged as 777 and I think this is a very simple issue to be resolved.  Instead of insisting that this is not a security issue, even if you think it is not, wouldn't it be easier just to make sure that these directories are delivered as 644?

three years after the original poster and I am finding the very same directories with these permissions.

 

#12 2016-06-13 02:37:44

potuz
Guest

Re: Security: Please do NOT make directories and db access info 777 !!!

potuz wrote:

wouldn't it be easier just to make sure that these directories are delivered as 644?

And more importantly, files with the mysql passwd should certainly be delivered o-r!

 
  •  » Requests
  •  » Security: Please do NOT make directories and db access info 777 !!!

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2019 · Contact