Announcement

#1 2015-04-06 19:01:48

gregor3000
Member
2015-04-06
4

Why the 777 permissions are needed? Is that secure? And some other Q..

Hello/Hi/Greetings,

The install worked OK. However i have a few concerns.

First is - some folders need permission 777. Isn't that a bit dangerous?

Second question - i have an idea to upload pictures via Areca backup program using sFTP. Can Piwigo scan those folders and subfolders and then automaticly add images to the album?

Third question - there are a couple of size option for the picture. Does that mean the piwigo creates one picture for each size? Would that increase the amount of server space needed?


Piwigo version: 2.7.4
PHP version:
MySQL version:
Piwigo URL: http://

Offline

 

#2 2015-04-08 23:38:38

flop25
Piwigo Team
2006-07-06
7037

Re: Why the 777 permissions are needed? Is that secure? And some other Q..


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#3 2015-04-09 11:22:32

xbgmsharp
Member
1970-01-01
215

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

You don't need 777 for the all PWG install.
Like every web apps, you need to give permission to the webserver user to write data.

To fully control PWG via the web GUI:

Code:

# chmod -R 777 _data local upload themes plugins galleries

If you prefer to handle your plugins, themes and galleries (FTP/SSH/SYNC) and you config then you only need

Code:

# chmod -R 777 _data

Or to be more specific, where "www-data" is the webserver user.

Code:

# chown -R www-data:www-data _data && chmod -R 755 _data

Offline

 

#4 2015-04-10 11:54:11

gregor3000
Member
2015-04-06
4

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

I see. this explains it then: .

If you have your attachments directory chmodded to 777 but its parent to 770 then they will not be able to do this as they will not be able to reach the parent..

what about my 3rd question:

Third question - there are a couple of size option for the picture. Does that mean the piwigo creates one picture for each size? Would that increase the amount of server space needed?


I plan to use it mostly as a means of watching & sharing backed up pictures.

Offline

 

#5 2015-04-13 11:57:34

xbgmsharp
Member
1970-01-01
215

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

PWG will create the picture for each size on demand. So yes on a long term, it would increase the storage size on your server. You can safely remove those files if you want via the PWG admin portal. 'Tools' -> 'Maintenance' -> 'Delete multiple size images'. The files are store in _data/i/

Offline

 

#6 2015-09-25 17:12:35

faqvideo
Member
2012-01-21
114

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

I would like to follow on the 777 permission in this thread. Let me know if I need to start a new one.

Recently I have received this alert from my hosting provider:

*****

Hello,

We have recently scanned one or more users on your DreamHost account for potential security threats.

We have identified attacker-added malicious content, which may include malware such as backdoor shells, adware, botnet, and spammer scripts.

Specifically the following file(s) have been identified as attacker-added malware and have been DISABLED (chmod 200):

/home/ottawastockimages/ottawastockimages.com/iva.php
/home/ottawastockimages/ottawastockimages.com/njk.php
/home/ottawastockimages/ottawastockimages.com/tyx.php
/home/ottawastockimages/ottawastockimages.com/admin/include/uploadify/sitemap.php

The following files/directories had insecure permissions (777), which have been remediated.

/home/ottawastockimages/ottawastockimages.com/upload/2013/09/10
/home/ottawastockimages/ottawastockimages.com/upload/2013/09/11
/home/ottawastockimages/ottawastockimages.com/upload/2013/09/12
/home/ottawastockimages/ottawastockimages.com/upload/2013/09/20
/home/ottawastockimages/ottawastockimages.com/upload/2013/10
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/05
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/06
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/23
/home/ottawastockimages/ottawastockimages.com/upload/2013/10/26
/home/ottawastockimages/ottawastockimages.com/upload/2013/11
The above is a partial list. A complete list can be found in the file named '/home/ottawastockimages/ottawastockimages.com/bad-directory-permissions-list-1442418384.txt' located at the base of the user.

IMPORTANT NOTE: One or more of your users has been found to have a file or directory with fully open '777' permissions. This allows full read, write, and execute access to everyone on the server. This makes your site vulnerable because if there is another user on your server that is hacked or malicious they could be looking to exploit other users with improper permissions. You should always use the default '755' permissions setting for directories, and '644' for files. The directories/files listed below have been reset to these values, but you must keep this in mind going forward in case this was a point of intrusion.

***

Apparently it is not a server, but rather an installation related problem. How can we deal with this 777 permission issue?

And what should I do now with this specific case to clean up the trouble?

Thank you.

Offline

 

#7 2015-10-11 19:16:25

faqvideo
Member
2012-01-21
114

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

Nobody seems to be interested in the 777 permission problems.

Since I have not received any suggestions on the forum, I decided to go on my own and changed all the existing directory 777 permissions to 755. I figured it may be worth a risk. The site is still working, but underneath all the images I can read nicely centered message:

*********************

Warning:  [mysql error 144] Table './ottawastockimages_com_1/piwigo_history' is marked as crashed and last (automatic?) repair failed

INSERT INTO piwigo_history
  (
    date,
    time,
    user_id,
    IP,
    section,
    category_id,
    image_id,
    image_type,
    tag_ids
  )
  VALUES
  (
    CURRENT_DATE,
    CURRENT_TIME,
    2,
    '24.140.229.51',
    'categories',
    NULL,
    NULL,
    NULL,
    NULL
  )
; in /home/ottawastockimages/ottawastockimages.com/include/dblayer/functions_mysqli.inc.php on line 830

*********************************

The mesage dissappears after I login successfully.

Now it looks like I either have to go back and change some permissions to 777 and let my site get hacked again, or to let my visitors enjoy the "crashed" warning.

D'accord, monsieurs, what do we do?

Offline

 

#8 2015-10-11 19:25:46

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3277

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

1. Said many times: 777 is not needed, 755 for directories (_data, galleries, upload, local, plugins) and 644 for files

2. your SQL error has nothing to do with the file permissions
see [Forum, topic 25981] Piwigo "Maintenance" not repairing database :-( for solution (and many others)

ho and on a side note: 777 is not a security breach in it self, if you got hacked then you have a problem in one of your script
http://www.simplemachines.org/community … pic=2987.0

Offline

 

#9 2015-10-11 19:56:11

faqvideo
Member
2012-01-21
114

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

I have restored the DB. The message is still there. Please have a look when you have time: http://ottawastockimages.com.

It seems to me that the problem had started with me having changed the permissions. As I said, I have changed all the directory permissions to 755. Something went wrong. Hmmm...

Offline

 

#10 2015-10-11 20:05:20

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3277

Re: Why the 777 permissions are needed? Is that secure? And some other Q..

Ok you restored it, but did you run "repair piwigo_history;" ?

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact