Striver Posted February 10, 2007 Share Posted February 10, 2007 I recently installed the latest version of phpbb (2.0.22). I know I can't make it bullet proof but I want to come as close as possible. One thing I noticed is that the cache and avatar directories and their content are chmod 777. That gives me the heeby-jeebies because that is a rather dangerous permission combination. Is this just the way this particular program needs things set up? Can it, or should it be changed? And most of all...what is your best tip for phpbb security that I may not know? in case you are curious the forum is here... http://www.verchi.com/forum002/ Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted February 10, 2007 Share Posted February 10, 2007 For users to upload their own avatars you can't get around the 777 permission settings. I would gather the cache directory requires it as well. phpBB is prone to attacks being one of the most popular freeware forum software packages available. All I can say is monitor when they release patches and apply them as soon as possible. An alternative free forum software would be Simple Machines Forum (SMF) which hasn't had as much attention as phpBB but it's easier to upgrade when patches are released. Quote Link to comment Share on other sites More sharing options...
Striver Posted February 10, 2007 Author Share Posted February 10, 2007 I set up an SMF first to give it a try...there are good reasons that phpbb is more popular I am actually running the cache at 755 and haven't had any problems. The file ownership of the files in the cache is set up a bit different so they aren't as easy to chmod but I have read you can set them to 755 as well. I was just hoping there might be a phpbb guru lurking around here somewhere and speaking of users uploading their own avatars...I tried to replace mine here but it wouldn't take the new one...it just deleted the old one. I had to link to the pic on my site. Lee Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted February 10, 2007 Share Posted February 10, 2007 As you can see we don't want to set any directories to 777 either so the upload feature has been disabled. Quote Link to comment Share on other sites More sharing options...
Striver Posted February 10, 2007 Author Share Posted February 10, 2007 LOL! I had a feeling that might be the case...now that leaves me with a dilema. I suppose I will have to do the same just to be safe... I wonder if there is a mod floating around that addresses this problem somehow... Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted February 10, 2007 Share Posted February 10, 2007 Something you can do is leave the directory permissions at 755 and ask the help desk to change ownership of it to "nobody" so that the default server user can write to it. Quote Link to comment Share on other sites More sharing options...
Striver Posted February 10, 2007 Author Share Posted February 10, 2007 Something you can do is leave the directory permissions at 755 and ask the help desk to change ownership of it to "nobody" so that the default server user can write to it. I have read some about that option but some experts seem to think it opens more security holes than it closes...and of course I don't know enough about it yet to know who is right When I was doing a lot of PERL programming I noticed that password protecting a directory like this didn't seem to lock out local programs. Not sure exactly whether that would fix this and I would need to set up another server to test it to...hmmm...maybe time to fire up this old linux box I have sitting here...ack! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.