Jump to content

Cms Backend Advice


mjarus

Recommended Posts

I currently signed up with TCH after losing my WHOLE account when Endore went under without warning(I know back-up...). Anyways, I have gotten a whole new domain and am ready to start over from square one. My old site was on PostNuke. Here is the question...

 

After looking into CMS security and such I think I have narrowed my choices down to Mambo 4.5 or Drupal. Does anyone know anything at all about these as far as how well the security model is and features? I know that PHP is a security risk on shared servers, but it is so darn easy to customize! Also I believe that the risk is relatively small, and you guys seem to be ok :) .

 

Another question too... Drupal requires magic quotes to be off, but by default they are on. I know it is possible to turn them off via .htaccess. Is this supported on TCH servers, or is it somehow blocked? I know you can't configure the PHP.INI itself.

 

Last question... What is the difference between chmod 707 and 777? It seems like it would be the same to me. With the last 7 it grants everyone rwe permissions, right? Doesn't this superceed the group level? Mambo recommended 707 security, but I think that is pretty weak and 755 SHOULD be used, right?

 

Any help would be appreciated.

 

Thanks all,

 

MJarus.

Link to comment
Share on other sites

You can control PHP.INI settings in your .htaccess:

 

phpinfo() output before .htaccess addition:

 

>Directive          Local Value          Master Value
magic_quotes_gpc   On                   On

 

After adding php_value magic_quotes_gpc 0 to .htaccess:

 

>Directive          Local Value          Master Value
magic_quotes_gpc   Off                  On

 

I haven't used either CMS so can't help you there.

 

The difference between permissions 707 and 777 is that an account that is a member of the group that owns the file, but is not the owner of the file themselves, would be denied access. I would guess that the recommendation is based on an assumption that all users on a shared host belong to the same group, but all non-users (webserver and other processes) do not belong to that group.

 

The problem with 755 is that if the CMS needs to write files out, it would be attempting to do so as the account the webserver runs as, not as you, unless it's running suExec'd. But since those sound like PHP systems (as opposed to CGI scripts), they likely won't be running under suExec.

Link to comment
Share on other sites

I would guess that the recommendation is based on an assumption that all users on a shared host belong to the same group, but all non-users (webserver and other processes) do not belong to that group.

So is this the case at TCH? If so then it would be safer than doing 777 for files that were required for writing.

 

BTW, Thanks for the quick reply :)

 

MJarus.

Link to comment
Share on other sites

With the understanding that nothing is 100% secure...

 

I think you're reasonably safe with either one but I have more experience with Mambo. It's a stable system with lots of community contributers and appears to have more flexibility in the template design (although one of my biggest complaints about Mambo is the tempating engine... )

 

Big Gorilla is correct in that the 777 and similar settings are there so that you can do things like upload files from the user/admin interface in the cms. There's no reason why you couldn't

a) change the settings to 777 when you want to upload and then turn them back to 755 when done

B) just ftp the documents and images instead of asking the script to do it.

 

In terms of security, you need to make intelligent choices with the full knowledge that nothing is foolproof. If it's a deep dark secret or involves credit card numbers, SS numbers, and the like... don't put it on the web, even a database. Backup often and update your CMS often as vulnerabilities are found on every CMS I've seen... and patches come out just as quickly (if the community is strong).

 

There are other things you can do to improve the security of a CMS, or any site. Just good programming sense. Strong passwords, config files with php extension outside of your public dir... etc. Now cpanel even gives you the ability to assign permissions to database users and limit what they can do...

 

That's a HUGE step forward that has been long awaited.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...