[TIP] Secure your MODx-installation - My Forums

Re: [TIP] Secure your MODx-installation

Maaike — Sep 16, 2006, 07:22 AM

Quote from: davidm at Sep 16, 2006, 09:25 AM

After install, you have to CHMOD it to 644 so that nobody can modify it, for obvious security reason...

Ah, this makes sense, yes. Thanks!

Re: [TIP] Secure your MODx-installation

davidm — Sep 16, 2006, 04:25 AM

Maybe it was not clear, but the installer needs config.inc.php to be CHMODed to 777 so that it can write to it your config.
After install, you have to CHMOD it to 644 so that nobody can modify it, for obvious security reason...

Re: [TIP] Secure your MODx-installation

Maaike — Sep 16, 2006, 03:28 AM

Quote from: doze at Sep 15, 2006, 07:06 PM

use 0777 (also chmod the cache folder, not just the files), but change confic.inc.php back to what it is currently immediately after installing.

Thanks for your help, but (excuse my ignorance) config.inc.php currently is 777. I remember the MODX installer made me change the chmod values for these files manually to what they are now, otherwise it wouldn’t install at all.
Also, I don’t really understand how chmodding these files to 777 makes my install more secure, could you please explain some more? Thanks!

Re: [TIP] Secure your MODx-installation

doze — Sep 15, 2006, 02:06 PM

use 0777 (also chmod the cache folder, not just the files), but change confic.inc.php back to what it is currently immediately after installing.

Re: [TIP] Secure your MODx-installation

Maaike — Sep 15, 2006, 07:22 AM

Another question: I got this reply:

chmod failed on: ./assets/cache/siteCache.idx.php (0666 x)
chmod failed on: ./assets/cache/sitePublishing.idx.php (0666 x)
chmod failed on: ./manager/includes/config.inc.php (0777 x)

(Where ’x’ would be my username).
I guess I can do the chmods manually, but what values should I use? I think the values listed above are the current ones, right?
Thanks!

Re: [TIP] Secure your MODx-installation

chucktrukk — Jun 27, 2006, 05:39 PM

If you need a cheap shared hosting environment for web apps, you can check out dreamhost.com. I use rochenhost.com for my sites that mean anything. They are more expensive but so is downtime and slowtime.

Chuck

Re: [TIP] Secure your MODx-installation

netnoise — Jun 27, 2006, 03:55 AM

Well, they really should understand what that means, it’s their business To be absolutely correct, ask them, if your php-scripts do run under your own user-id.
Another way is to check their FAQ: If they talk about ’chmod 777’ to make something work, they’ll most probably don’t have php run suexeced (=under your uid).

Re: [TIP] Secure your MODx-installation

Maaike — Jun 27, 2006, 01:58 AM

Quote from: netnoise at Jun 26, 2006, 09:11 PM

(Hope your username isn’t really ’x’ ?...)

Thanks for your help! And no, that’s not my username

So... suppose I’m looking for another hosting provider, what exactly should I ask them? --> ’Can I run php under my own username’? Do you think they’ll understand what that means? (because I don’t, really...)

Re: [TIP] Secure your MODx-installation

netnoise — Jun 26, 2006, 04:11 PM

(In most cases) that means any other hosting-account on that machine may read/write your session files and your cache/assets-folders. In such an environment, your config.inc.php is world-readable, so your mysql-username and password could be read out by other users.

(Hope your username isn’t really ’x’ ?...)

Re: [TIP] Secure your MODx-installation

Maaike — Jun 26, 2006, 03:13 PM

Right. Something is wrong I guess...
It says:
Sessions are stored in: /tmp
WARNING: PHP is running as user ’wwwrun’ while your username seems to be ’x’!

The sessions thing, is that bad?
And php not running under my username, how dangerous is that really? Is it likely to cause any trouble?
I’m already considering a move to another host, perhaps this’ll be the final straw...
PS: and thanks!! of course