Re: [Peterboro] Joomla

Wed, 08 Nov 2006 14:55:01 -0800 

Malcolm Hunter wrote:
> One question: Mark, how did you give write access to Joomla? I tried changing 
> the group to www and giving write access to that group, but is this secure? 
>   

On our server, httpd runs within the "admin" group (for reasons which
aren't relevant here). I uploaded the files logged in as the "admin"
user, so they were already set to user=admin, group=admin, with write
access for user only. I therefore just added group write access as
needed using
    chmod g+w -R dirname

Is this secure? Well it's less secure than not doing it, as a bug in
Apache could be exploited to overwrite any files which Apache can write
to. That's why we don't give write access to everything. However, for
Joomla to work (ie for it to be able to upload files etc) we chose to
take that risk.

The following paragraph is my understanding but I am not a security
expert, and corrections very welcome (but don't assume lack of
corrections means this is right!):

The risk is not just that somebody might be able to overwrite the
website with their own content if a suitable Apache bug is found, but
that they would use this feature to upload a script which Apache would
then have the rights to run, which could then do anything that a PHP
script on the server run by Apache could do. So the consequences could
be quite high, depending on what rights the Apache process has (it would
be easy to use it to send spam, for example, were such an exploit
discovered). The whole point of Joomla, though, is to allow users to
upload their own content, so that risk is inevitable once we decide to
use Joomla. How secure is Apache? Pretty good but not flawless track
record (I wouldn't run it on IIS though!). If Joomla had the option to
store all content in the database that would be preferable (the higher
CPU load would be worthwhile on a low hit site). There are also other
security options for Apache, such as running multiple processes as
different users restricted into their own areas (limiting the damage
possible). We rely on our hosting company keeping Apache patched which
we may live to regret, but our business would be gone long before that
if we couldn't provide the functionality the clients are after.

-- 
Mark Rogers
More Solutions Ltd :: 0845 45 89 555


_______________________________________________
Peterboro mailing list
[email protected]
https://mailman.lug.org.uk/mailman/listinfo/peterboro

Reply via email to