Cache folder security and rokgzipper
-
-
- Tyson Mock
- Jr. Rocketeer
- Posts: 29
- Thanks: 0
- Technology Director
-
I've poured through documentation regarding file/folder permissions on Joomla and have made the following conclusions:
If my web root is found in /var/www/html then I should set the following on "html":
command "ls -la" shows-
drwxr-xr-x root root 4096 2010-02-01 10:43 html
I go into "html" and issue the following commands:
chown -Rf root:root *
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
The command ensures root owns everything. The next command locks everything down ensuring all directories are read and execute for everyone and that all files are read only, as suggested by the Joomla Security team. Apache daemon is running as user "apache". At this point, I believe our directory security is rock solid.
I have moved the real configuration.php outside of the web root and created a link to it. This works fine as well.
I turned on caching and enabled the rokgzipper plugin. Now, I have problems but this is to be expected as it requires caching and needs to be able to write to the cache directory. I know how to fix it though, I go to /var/www/html/ and execute the following command:
I first tried "chmod 775 cache" and then "chown root:apache cache" but that didn't work for some reason. I had to make apache the owner of the folder so I did the following:
chmod 755 cache
chown apache:apache cache
Now, everything works fine. The only problem I have is that everything I've read indicates that you should move all directories that require write access outside of the web root. The problem I have with this is that I can find nothing that explains how to move the "cache" folder outside of the web root. Also, I find many references to illustrate that you should never make directories write accessible to whatever user your apache server runs under.
With all of this said, I know it has been asked a million times before, but what have you done to address this? Do you all just do what I have done and made your cache folder (and any other folder that requires write access) writable?
Any thoughts on what I've done from a security perspective? Thanks for any feedback!! - Tyson Mock
Technology Director
-
-
-
- Ben Lee
- Elite Rocketeer
- Posts: 4193
- Thanks: 42
-
I'd say you're doing pretty darn good with the security thing here with what you have. One tough thing about dynamic sites is that they do need write access for some of their functions.
I'm no expert when it comes to security for a site, but from the feedback I've seen on forums and heard from developers, many vulnerabilities come from using not so great extensions that open up an entry point for an attacker. Just making sure you're using reputable extensions and downloading them from the source will do a great deal for the security of your site.
Only other thing I was going to mention is that your configuration.php file can be set to 444, but you noted that you've moved it outside. It still won't hurt to set it's permissions to 444, though.
-
-
-
- Tyson Mock
- Jr. Rocketeer
- Posts: 29
- Thanks: 0
- Technology Director
-
That's reassuring Ben. I appreciate your response. Thanks for the tip on the security of the configuration.php.
As a note to your comment regarding vulnerabilities within 3rd party extensions, use the following site to check your extensions for existing or newly discovered vulnerabilities. It's updated regularly: docs.joomla.org/Vulnerable_Extensions_List - Tyson Mock
Technology Director
-
Time to create page: 0.055 seconds