How to protect CMS Made Simple installation against hackers?

[hanoul]

CMS Made Simple needs the 2 folders:
tmp/cache
tmp/templates_c
to be writable by the world (chmod 777) in order to run.
This opens the website to all sort of hackers.
What is the solution? Anyone knows?
I'd appreciate your help on this.

[calguy1000]

CMS Made simple does not NEED those folders to have 777 permissions. (well, that depends on your environment).  Those folders (as well as modules, and uploads) need to be writable by the web server user.  That's it.  If your solution provider allows you root access, or sudo... (and/or you have a good understanding of permissions, user and group modes, user processes, umasks, safe mode, and other considerations), then you can implement your server differently.  CMS Made simple does not get in the way of that. 

Further, if you have a good understanding of your requirements for a website, you may be able to do without certain functionalities of the product, and can therefore restrict your permissions even more.

However, given the features of the product, and the amount that these features are requested, and also considering the hosting environments that many people are using CMS within, there are certain prices that have to be paid. 

We've been making every effort (lots of reviews of the code, lots of modifications) to prevent against any potential hacker attempts.  Unfortunately, there is no 100% solution.  I think that here is little more that we can do.

If anybody has any further ideas, we would like to hear them.  We look forward to your concepts, and will seriously consider as many of them as possible.  We always try to.

[hanoul]

Do you know what are the features that require the folders
tmp/cache
tmp/templates_c
to be writable?

May I don't need those features, and I can disable them.
For the modules and uploads folders it is a bit easier, since they are needed only by the website administrator for updating. So, they can go and change them to 777 just when they need to update, and then switch back to 755.

Thanks for your help.

[Kayin]

.htaccess files allow people to put in apache directives for specific directories.

One such apache directive allows you to disable php altogether in that directory.

Think that would hurt putting that in the uploads/ and the tmp/ directories just as added precaution?

I don't have the exact directive on me right now but I do have it at home, I can post it if anyone wants.

-K

[Pierre M.]

Kayin, I like your idea.
As I don't know the internal mechanism of the template engine I'm not sure PHP should be disabled in tmp/ but I'd like it to be disabled in uploads/.
Pierre M.

[Kayin]

As far as I can tell, it doesn't prevent PHP from operating in that directory but does prevent PHP from being executed in that diectory.

Meaning if I place this directive in /uploads/ and have a php script in /bin/ that wrote a log file in /uploads/ it would still write. But if the script was in /uploads/ it wouldn't execute.


php_admin_flag engine off


Comes it handy from time to time.

-Kayin

[hanoul]

I think there are 4 folders that need to be writable:
- tmp/cache: I assume this is where page previews are stored, right?
- tmp/temlate_c: I assume that this enable the CMS to cache the current template, to speed up page rendering, right?
- modules: For new modules installation only.
- uploads: For files and images uploading.

The web site will operate if only the 2 tmp subfolders above are writable. I assume that if no modules need to be installed, and no new files need be uploaded through the browser, the 2 other folders may be left on 755 or similar setting.

Does anyone know how to disable page previewing and template caching? I just want to know if it is possible to disable the features that need the 2 folders tmp/cache and tmp/template_c to be writable? Anyone knows this?