This forum has moved to a new location and is in read-only mode. Please visit talk.octobercms.com to access the new location.

mxh
mxh

I've tried out October CMS RC within a fresh Ubuntu VM including a LAMP stack. It seems that to be able to work with October as intended, the CMS itself creates all needed files, setting www-data:www-data as the owner of all files and folders, e.g. for index.php, the file permissions are as follows:

-rw-r--r-- www-data:www-data index.php

I always used not to setup other frameworks and CMS this way, because www-data with write permissions on executable scripts like index.php may enable malicious users to change these files and execute them by exploiting existing security lacks (which even the CMS/framework creators may not know yet).

Do you think this predefined configuration of file permissions is safe enough unless you don't expect any serious existing security lacks?

Do you have any plans to intiate a security team / organisation for October CMS?

Thanks for your answers!

Last updated

mxh
mxh

As long as there is no response on this, I can't really take October CMS as a viable option for any project. To anyone using October CMS on shared host machines - may the trust in good be with you.

Last updated

Kaybee
Kaybee

This is entirely specific to how you have PHP configured on your server. I'd suggest looking into setting up PHP-FPM with separate user pools.

dshoreman
dshoreman

www-data as owner and group is far more secure than setting permissions of 777 on everything.

As kaybee says, it's entirely dependant on your server configuration. What works for you, may not work for the next person. In a perfect world, Apache wouldn't be running as www-data at all, instead using a completely different custom user that you create for it.

Nothing will be perfect out of the box, it's your job as server admin to make sure you take the necessary steps for your particular setup. Just look at wordpress - without spending hours locking it down, your site has a good chance of being hacked the moment someone's "Wordpress detector" finds it on the Internet

mxh
mxh

Thanks for your answers.

dshoreman said:

www-data as owner and group is far more secure than setting permissions of 777 on everything.

I'm not looking for ways which don't solve the problem.

dshoreman said:

Nothing will be perfect out of the box, it's your job as server admin to make sure you take the necessary steps for your particular setup.

That's obviously true.

Is there a documented guideline regarding setting up and maintaining a secure OctoberCMS application infrastructure?

Saying it's up to the administrator without providing documentation about which aspects need to be considered for security is valid, but not really useful making this CMS more accessible to anyone.

1-5 of 5

You cannot edit posts or make replies: the forum has moved to talk.octobercms.com.