hashover-next icon indicating copy to clipboard operation
hashover-next copied to clipboard

Published 20 hours ago verified publisher icon jacobwb

Proper file permissions and behavior

Open Lux-Delux opened this issue 10 years ago • 4 comments

Perhaps some more clarification on permissions

Should all php files in scripts be 0644? Locales 0755?

What shouldn't be publicly accessible besides the scripts?

For example I currently have 403 on any json file comment when loaded in browser... that's ok?

Lux-Delux avatar Apr 13 '15 11:04 Lux-Delux

Should all php files in scripts be 0644?

Yes. All PHP files, anywhere, should have permissions 0644.

The documentation calls for 0755, but that was done just to ensure the best possible chance that 1.0 would work for most people and avoid problems relating to file permissions from coming up.

Locales 0755?

Yes and no. Again, all PHP files, including those in hashover/, hashover/api, hashover/scripts and hashover/scripts/locales should have permissions 0644.

However, all directories anywhere need to be executable to be usable. So the directory hashover/scripts/locales needs permissions 0755, but not the files inside of it.

What shouldn't be publicly accessible besides the scripts?

Some scripts need to be publicly accessible, such as those under hashover/api as well as hashover/scripts/avatars.php and hashover/scripts/like.php

In general, no directories should ever list their contents. There isn't a security risk really, since mostly all files under those directories are publicly available here on GitHub and my website.

The only place that is problematic is allowing any outside access to anything under hashover/pages, as that is where all user data is stored, all encrypted, but still.

So...

For example I currently have 403 on any json file comment when loaded in browser... that's ok?

Yes.

Though, if there is a way to be more broad with that restriction, as to 403 on anything under hashover/pages that would be even better. Just in case you ever decide to use XML or SQLite in the future or if I put more user data there in different places in the future.

jacobwb avatar Apr 14 '15 10:04 jacobwb

Thanks.

Hmm I need to look more into my nginx config if I can pull that off for pages. How do you handle it through apache if you're using that?

Lux-Delux avatar Apr 14 '15 10:04 Lux-Delux

My server setup is quite old, hence the lack of SSL.

For me I just throw a .htaccess file into hashover/pages with the following contents:

Order deny,allow
deny from all

That triggers a 403 error for any request to any file under hashover/pages/, which is good enough for me. I'm not all that familiar with Nginx, though I do use it on my personal computer for testing.

In your server section, it looks like this:

server {
    # A bunch of stuff is here...
}

Put:

location /hashover/pages/ {
    deny all;
}

À la:

server {
    # A bunch of stuff

    location /hashover/pages/ {
        deny all;
    }
}

Works for me.

jacobwb avatar Apr 14 '15 12:04 jacobwb

LOL, actually I had a similar implementation before but thought it didn't work. Something from pagespeed was throwing me off.

Indeed that works fine, thanks for confirming

Lux-Delux avatar Apr 14 '15 15:04 Lux-Delux