correct permissions settings ?
-
What should be the permissions settings for the wp-content folder and below that ? i can see my upload folder from the web which i dont want people to see. is that right ?
-
We always set our wp-content folder to chmod 755.
what about upload ? doesnt that mean everyone in the world can read that ? but not write ? is that ‘safe’ ?
Try 755, but for some reason, some servers cause a failure when uploading. If you change to 755 and all is well, keep it, otherwise you may need 777.
thanks, 777 should never be done under any circumstances cos that is like spreading your legs for the polish hackers.
i can see my upload folder from the web which i dont want people to see. is that right ?
Yes and no. It needs to be accessible to everyone on the web in order to serve content. It’s contents are only viewable because you aren’t restricting casual directory browsing with “Options -Indexes” in your .htaccess.
thanks, 777 should never be done under any circumstances cos that is like spreading your legs for the polish hackers.
I think that could be a fairly misrepresentative statement all the way around.
You may also want to be aware of permissions in a shared server environment. You could be more susceptible to poisoning from compromised accounts on your own server than from the web if shared server user permissions aren’t correct. Correct file ownership is just as important.
oar white π
well 777 does this to your permissions:
rwxrwxrwx
which means the owner and the group and everyone else can all read, write and execute this file. if you then go and start recursively 777’ing everything it cant be good π if i can start writing to a directory on your server then that opens up possibilities. say privilege escalation, XSS stuff. gawd knows what. i think thats the worst thing you could possibly do, potentially.
also, in my experience shared server stuff is so crap, if you wanted to do malicious stuff – it would be quite easy. im on dreamhost (not because i want to be π and ive encountered quite a few interesting things. including being able to read how every user on the machine logs on, ftp, shell or whatever. whether they have mail accounts. what their login is, all the scripts in the root directory for backups and the backups themselves including database backups completely open etcetcetcetcetc. π heh once they left ‘root’ open and i could download other peoples database backups which i promptly did and sent to them for full embarrassment π
Well, good for you, knowin’ and showin’ us all of that “hacky” stuff! Sounds like you got it pretty well covered!
i can see my upload folder from the web which i dont want people to see. is that right ?
Did I mention you overlooked preventing casual browsing of your directories by simply placing Options -Indexes in your .htaccess file?
π
heh, not really, its a never ending subject π i did work as a penetration tester once, but i was crap and they fired me, so that shows how good i am π
directory listing doesnt stop the file being accessible if you know where it is though does it ? you could probably work that out from other clues on the site… still.. you still need a login or some way of writing to the file to be able to exploit the server or the wordpress install.
i couldnt figure out why wordpress allowed that whole folder to be accessible, but i guess its just got to be that way, not sure. the web server group has to be able to write to the folder to enable wp to upload i think, but still – i dont necessarily want everyone to be able to access those files.
the other thing that is a possible stumbling block is having wp ecommerce installed and then recursive chmodding the uploads folder, which would mean the wpsc folder would be open to having a look, which would mean your downloadable files which people are supposed to buy would be free, assuming you knew the file name… dunno what other can of worms that would open… ive seen a load of people on here going ‘oh my upload doesnt work’ – right then chmod -R 777 upload/ – DOH! π
i did work as a penetration tester once, but i was crap and they fired me, so that shows how good i am
I can honestly say I probably would have never guessed that.
directory listing doesnt stop the file being accessible if you know where it is though does it ?
I’ve always thought that could actually be sort of a convenience, if you find yourself in a position where you might want a web browser to display those resources to others.
recursive chmodding the uploads folder
How does that work? What’s the “recursive” thing mean?
your downloadable files which people are supposed to buy would be free, assuming you knew the file name.
You mean people could just download my photos and stuff that I have for sale without even paying for it!?
I can honestly say I probably would have never guessed that.
not sure if thats sarcastic or not π
How does that work? What’s the “recursive” thing mean?
chmod -R 777 [folder] – means make everything in this folder and in every folder below it permission 777. ie. legs open π
You mean people could just download my photos and stuff that I have for sale without even paying for it!?
well a good test is trying the download link you send out without paying π dunno what cart you are using but i used the mess that is wp eommerce for about two weeks and chmodding the uploads folder would certainly do that.
I guess I must tend to be a little more linear – admittedly even downright myopic sometimes </irony> – in my thinking.
After a fresh install my normal M.O. is to cd to the web root and chmod my wordpess directory to 0750, Then I’ll chown -R [username]:[serveracct] the entire directory. Then I’ll hop right inside the directory itself and run;
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
…against the newly uploaded contents.
That ensures from the onset of a new installation that all of my files and directories are owned by my user account and group owned by the account the server runs under. The next step (for me) is to immediately upload an image to the media library. This usually means temporarily making /wp-content writable so wordpress can create the uploads directory for me. Once the upload directory is created, I chmod /wp-content back to 0755. From that point forward (if I remember correctly), I believe the most relaxed the permissions on the upload (and upload/sub-directories, when I use them), directory has ever been is 0775. I guess there might be an upload directory or two at 0777, but I donβt have any reason to worry about it. Every other directory is 0755, and files are all 644 on the norm. (permissions in shared environments may vary here and there)
not sure if thats sarcastic or not π
I might truly feel hurt by that sentiment, if I didn’t already think that you were probably the type of guy who isn’t afraid to say what-ever he wants to who-ever he wants, ignore who-ever isn’t relevant to your own interests, and only show respect to people who have earned it! But yeah… You’re just preachin’ to the choir, mate.
I’ve been jammin’ ‘ya all along. But no worries! It doesn’t mean I can’t learn something from you, or that I don’t respect your opinions!!
Best wishes!
π
I might truly feel hurt by that sentiment, if I didn’t already think that you were probably the type of guy who isn’t afraid to say what-ever he wants to who-ever he wants, ignore who-ever isn’t relevant to your own interests, and only show respect to people who have earned it! But yeah… You’re just preachin’ to the choir, mate.
I’ve been jammin’ ‘ya all along. But no worries! It doesn’t mean I can’t learn something from you, or that I don’t respect your opinions!!
/me scratches head π
really confused now. what does jamming mean ? having me on ?
seems youve been reading my other posts π
yeah im not very polite when people arent polite to me and i couldnt give a monkeys uncle whether people like what i say or not. this is true π ive been thrown off of practically every forum ive ever been on for swearing. its great, im awesome!
thats much more of a decent permissions situation, people should take note, thanks.btw when i said penetration tester i meant male gigolo π
joke, joke.there should be a repair permissions script that checks and repairs your wordpress sheet. is there already ?
what does jamming mean ? having me on ?
Yes. Sorry about that.. It’s a compulsive response to certain social stimuli for me sometimes. My apologies.
ive been thrown off of practically every forum ive ever been on for swearing
Well, I am a firm believer in upholding longstanding tradition, so if there’s anything I can do to help you out with that, let me know!
its great, im awesome!
You remind me of a young fella’ I taught a handful of speed riffs to a few years back. In his mind, he always heard himself shredding like Paul Gilbert, while in reality, everyone else in the room just heard him chopping away like Paul Bunyan. Ahhhh, now you’ve gone and made me nostalgic. Time to dust off the old Strat and and see if the mains in the DeVille will still light.
Off to find a pint or two. See ‘ya.
- The topic ‘correct permissions settings ?’ is closed to new replies.