CMS Made Simple Forums

When I installed CMSMS, the installation procedure highlighted some security issues to be aware of:

Step 4

For the script to access the folder properly, you need to change permissions of the following files and directories on the server. CHMOD these to 777 (Note: 777 has pontential security risks and may allow hackers to upload files to these directories to run phishing sites etc. If security of your web site is important, set it these folders to CHMOD 775 or tighter.):

    * tmp/templates_c
    * tmp/cache
    * uploads
    * uploads/images
    * modules

I used 775 for these folders but for some this gave an orange indicator (I cannot remember what that was for in these cases) when the CMSMS install did the installation check, so I set them to 777 to get a green indicator. In hindsight, I am a little concerned about this, but also don't want to be restricted in how I can use and modify CMSMS.

If I set these folders back to 775, what will be the limitation on my use and is there a workaround where I can have flexibility but also be secure?

Also, are there other things I can do to make my CMSMS website more secure from hacking as although I am only testing at the moment, I am concerned about security particularly if using CMSMS for a commercial website?

Finally, the documentation says that you should remove the install folder completely. The thing is, that folder also contains upgrade.php. Won't I need that later if upgrading to a newer version?

777 is just a "works for all" quide (if you look at other cms's their instructions are usually pretty similar)

Setting correct permissions to files depends on how your php / apache is set up. On my servers I could probably run it with 700 and have no problems, but servers have different settings. So check your settings, tighten permissions, test, repeat until you think its ok.

Securing cmsms is similar to any other system. use good passwords, remove all unneccesary modules, join to a mailing list to get notifications of new versions (and upgrade to the new versions) and last but not least, with a gpl code read it through before using (just kidding, no one reads through all the gpl code they run

For the upgrade.php, when you download a new version you overwrite all the files in the old installation with the new files. the new version files will include a new install folder with new upgrade.php file and needed upgrade files to do database schema upgrading. So you can delete install folder, when you upgrade you'll have a brand new install folder to use

hope this helps

Thanks very much for your response and explanation on all of this.

tsw wrote: Setting correct permissions to files depends on how your php / apache is set up. On my servers I could probably run it with 700 and have no problems, but servers have different settings. So check your settings, tighten permissions, test, repeat until you think its ok.

Sorry, but this may be a stupid question, but in doing this iteration of tightening permissions and re-testing, what sort of errors/messages should I expect to get if permissions have read tightened too much? Is there a best way to move through the tightening, e.g. read, write, then execute and user, group, world?

start by removing world read write execute access, test something like uploading a new image with imagemanager or installing a module if its successful move to group permissions and do similar tests.

errors you can expect would be something like "cant access file" "error writing file" and so on..

if you have your own group there is no real need to tighten group permissions.

as said before permissions are very specific to your hosting environment.

hope this helps

Many thanks for the info on this - I appreciate your help.