#1344 ✓resolved

Security: are we setting folder/file permissions correctly

Reported by dleffler | January 13th, 2016 @ 12:30 PM | in 2.3.8 (closed)

We offer only a single admin permission setting for folder and file creation (actually 2). This may be too restrictive/permissive for uploaded (public) files and patches/extensions/temp-files. In some server scenarios, file/folder permissions can keep the system from working (correctly) and it seems the only fix is to open up the (group/world) permissions. In a perfect world/setup, all files/folders within Exponent would be owned by the specific web server user and only need to be accessible by the server. However, audio (and video?) files can only be played if they are world readable. A world read/write permission (777/666) though would cause a possible security issue because it would/might allow anyone the opportunity to write/edit a file and then execute it. (though we already have some pretty strong anti-execution settings/code in place)

  • We may need 2 types of folder/file permissions (actually 4) based on whether it's for an upload into the /files folder or somewhere else in the system
  • We need to ensure we are always setting the folder/file permissions instead of the default of 0777 for mkdir()
  • The intent would be to lock down the system (everything but the /files folder and to allow a little more (read-only) access to the /files folder and it's children, with a little more access (write) to upload files

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket