And does that take into consideration whats required when using CMSMS in a shared host environment?
Let me explain what I mean by shared host environments:
Something like the type of account you get at Pair Networks (www.pair.com). A typical FreeBSD account on a machine you share with some 50-100 other users (who you don't know and can't trust).
In this kind of environment you want the following file permissions:
755 (user: rwx, group: r-x, other: r-x) for directories.
644 (user: rw-, group: r--, other: r--) for most files.
600 (user: rw-, group: ---, other: ---) for files with "secrets" like passwords and such.
User - the 'user' group consists only of the owner of the file (your account, in most cases)
Group - the 'group' group consists of the other users on the server
Other - the 'other' group consists of everyone else -- most importantly, the web server falls into the 'other' category.
This means you need to trick the webserver in a way that it will access files as 'user'. Since you can't fiddle with these things on a shared host (you are not root), there has to be another way to do it (let's assume all shared host environments handle that issue somehow, or they wouldn't be very useful). At Pair Networks the trick is to use a system CGI called "php-cgiwrap". See explanation here if you want the details:
http://www.pair.com/support/knowledge_b ... iwrap.html
This requires a change to the .htacess file, to insert a few lines like this:
Note the exact mechanism varries with the host used, but this is how it would work at Pair Networks.
Action application/x-pair-sphp4 /cgi-sys/php-cgiwrap/username/php4.cgi/users/
AddType application/x-pair-sphp4 .php
AddType application/x-pair-sphp4 .htm
AddType application/x-pair-sphp4 .html
This will allow the webserver to access files as 'user' when parsing these filetypes through PHP.
Now the question is: does CMSMS (want to) support usage on a shared host like this?
Or what is the attitude/philosophy towards this issue?
I havn't seen this adressed in the documentation wiki in any detail. I have observed much different behavior from different modules with regards to file permissions. Things like upload of files in the file manager. And generation of Captchs images. And... This makes me wonder what the overall strategy is? - and what's being done to make the (module-) developers understand the importance?
The risks of not paying attention to file permissions on a shared host are very real:
- Other users can read your database passwords etc. if you leave the config.php file with read-access for 'group' or 'other'.
- Other users can erase files and write stuff into your web-directories if you open for write access for 'group' or 'other'.