Pages: 1
Hello/Hi/Greetings,
The install worked OK. However i have a few concerns.
First is - some folders need permission 777. Isn't that a bit dangerous?
Second question - i have an idea to upload pictures via Areca backup program using sFTP. Can Piwigo scan those folders and subfolders and then automaticly add images to the album?
Third question - there are a couple of size option for the picture. Does that mean the piwigo creates one picture for each size? Would that increase the amount of server space needed?
Piwigo version: 2.7.4
PHP version:
MySQL version:
Piwigo URL: http://
Offline
hello
this is still relevant [Forum, post 145467 by GOPIWI in topic 22575] Security: Please do NOT make directories and db access info 777 !!!
Offline
You don't need 777 for the all PWG install.
Like every web apps, you need to give permission to the webserver user to write data.
To fully control PWG via the web GUI:
# chmod -R 777 _data local upload themes plugins galleries
If you prefer to handle your plugins, themes and galleries (FTP/SSH/SYNC) and you config then you only need
# chmod -R 777 _data
Or to be more specific, where "www-data" is the webserver user.
# chown -R www-data:www-data _data && chmod -R 755 _data
Offline
I see. this explains it then: .
If you have your attachments directory chmodded to 777 but its parent to 770 then they will not be able to do this as they will not be able to reach the parent..
what about my 3rd question:
Third question - there are a couple of size option for the picture. Does that mean the piwigo creates one picture for each size? Would that increase the amount of server space needed?
I plan to use it mostly as a means of watching & sharing backed up pictures.
Offline
PWG will create the picture for each size on demand. So yes on a long term, it would increase the storage size on your server. You can safely remove those files if you want via the PWG admin portal. 'Tools' -> 'Maintenance' -> 'Delete multiple size images'. The files are store in _data/i/
Offline
I would like to follow on the 777 permission in this thread. Let me know if I need to start a new one.
Recently I have received this alert from my hosting provider:
*****
Hello,
We have recently scanned one or more users on your DreamHost account for potential security threats.
We have identified attacker-added malicious content, which may include malware such as backdoor shells, adware, botnet, and spammer scripts.
Specifically the following file(s) have been identified as attacker-added malware and have been DISABLED (chmod 200):
/home/ottawastockimages/ottawastockimages.com/iva.php
/home/ottawastockimages/ottawastockimages.com/njk.php
/home/ottawastockimages/ottawastockimages.com/tyx.php
/home/ottawastockimages/ottawastockimages.com/admin/include/uploadify/sitemap.php
The following files/directories had insecure permissions (777), which have been remediated.
/home/ottawastockimages/ottawastockimages.com/upload/2013/09/10
/home/ottawastockimages/ottawastockimages.com/upload/2013/09/11
/home/ottawastockimages/ottawastockimages.com/upload/2013/09/12
/home/ottawastockimages/ottawastockimages.com/upload/2013/09/20
/home/ottawastockimages/ottawastockimages.com/upload/2013/10
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/05
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/06
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/23
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/26
/home/ottawastockimages/ottawastockimages.com/upload/2013/11
The above is a partial list. A complete list can be found in the file named '/home/ottawastockimages/ottawastockimages.com/bad-directory-permissions-list-1442418384.txt' located at the base of the user.
IMPORTANT NOTE: One or more of your users has been found to have a file or directory with fully open '777' permissions. This allows full read, write, and execute access to everyone on the server. This makes your site vulnerable because if there is another user on your server that is hacked or malicious they could be looking to exploit other users with improper permissions. You should always use the default '755' permissions setting for directories, and '644' for files. The directories/files listed below have been reset to these values, but you must keep this in mind going forward in case this was a point of intrusion.
***
Apparently it is not a server, but rather an installation related problem. How can we deal with this 777 permission issue?
And what should I do now with this specific case to clean up the trouble?
Thank you.
Offline
Nobody seems to be interested in the 777 permission problems.
Since I have not received any suggestions on the forum, I decided to go on my own and changed all the existing directory 777 permissions to 755. I figured it may be worth a risk. The site is still working, but underneath all the images I can read nicely centered message:
*********************
Warning: [mysql error 144] Table './ottawastockimages_com_1/piwigo_history' is marked as crashed and last (automatic?) repair failed
INSERT INTO piwigo_history
(
date,
time,
user_id,
IP,
section,
category_id,
image_id,
image_type,
tag_ids
)
VALUES
(
CURRENT_DATE,
CURRENT_TIME,
2,
'24.140.229.51',
'categories',
NULL,
NULL,
NULL,
NULL
)
; in /home/ottawastockimages/ottawastockimages.com/include/dblayer/functions_mysqli.inc.php on line 830
*********************************
The mesage dissappears after I login successfully.
Now it looks like I either have to go back and change some permissions to 777 and let my site get hacked again, or to let my visitors enjoy the "crashed" warning.
D'accord, monsieurs, what do we do?
Offline
1. Said many times: 777 is not needed, 755 for directories (_data, galleries, upload, local, plugins) and 644 for files
2. your SQL error has nothing to do with the file permissions
see [Forum, topic 25981] Piwigo "Maintenance" not repairing database :-( for solution (and many others)
ho and on a side note: 777 is not a security breach in it self, if you got hacked then you have a problem in one of your script
http://www.simplemachines.org/community … pic=2987.0
Offline
I have restored the DB. The message is still there. Please have a look when you have time: http://ottawastockimages.com.
It seems to me that the problem had started with me having changed the permissions. As I said, I have changed all the directory permissions to 755. Something went wrong. Hmmm...
Offline
Ok you restored it, but did you run "repair piwigo_history;" ?
Offline
Pages: 1