Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security questions
#1
Hi all, I'm just getting started using GetSimple and I like it so far. I'm used to Joomla and a little Drupal, so I'm not a noob when it comes to CMS, but I do have some questions about increasing security.

My joomla sites I host on a dedicated server where I can control security pretty well. However I want to host a couple of GetSimple sites on a shared hosting account I have where the host doesn't allow all features of .htaccess. The last time I used this shared hosting account to run a Joomla site, a few years ago, it was hacked in a month and turned into a porn portal. I certainly don't want that to happen again!

So my question is how important is .htaccess in security of GetSimple? I see the root .htaccess blocks access to all xml files except sitemap. Can I simply change the permissions of the data directory to 750 (block all public) instead? I've tested this and GetSimple seems to still work fine. The website healthcheck throws up a lot of "0750 Not Writable" errors for the data directory, but in reality I can still edit and add pages. This is actually how I run my joomla sites as well - as long as the webserver unix user (www-data or apache) can access and edit files, there doesn't need to be public access for anything other than essential php files.

Are there any other directories or files I should block access to in the same way? Or any other security tips from people using GetSimple in the wild? Is what I'm doing here a bad idea for any reason?

Thanks very much! Smile
Reply
#2
that should be an OK alternative. We aren't saying that our .htaccess solution is the only or best way, but it does work just fine.
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#3
Good news, thanks!
Reply
#4
My server is set up so Apache/PHP runs with the permissions of the file owner. This means directories are created 0750 and files 0640. Get Simple's health-check warns that none of the directories are writeable - which isn't true. Permissions are 0750, and that is perfectly writeable for Get Simple, which other than the warnings works just fine.

Is it possible for the health-check page to check permissions in a cleverer way? I.e. Checking that it can actually write something, rather than looking only at the permissions classes and making assumptions about how permissions are configured on the server?
Reply
#5
I will be adding an actual write test to health check probably, but that to detect file system read only issues, not file permissions.

I think health check is also checking 755, which as you say is overkill for write privs, I am not very familirar with perm bitmasks though.

I also have some pretty strict htaccess entries for my uploads folder, like no code execution etc.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#6
(2012-08-09, 22:41:01)shawn_a Wrote: I also have some pretty strict htaccess entries for my uploads folder, like no code execution etc.

Could you please be more specific?
If it's possible please paste the content here. (Even with sensitive data modified if you need so.)

Thanks
Reply
#7
Not really but you can find some information here.

http://journalxtra.com/websiteadvice/wor...ules-4025/
http://stackoverflow.com/questions/50102...g-executed
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#8
(2012-10-31, 06:20:37)shawn_a Wrote: Not really but you can find some information here.

http://journalxtra.com/websiteadvice/wor...ules-4025/
http://stackoverflow.com/questions/50102...g-executed

Thanks, first link is interesting.
Reply




Users browsing this thread: 2 Guest(s)