Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

vanilla 2.0.18.10 and nginx and folders permitions

Hello;
Today i installed the vanilla 2.0.18.10 on an nginx server. in the installation process it asked me to chmod several folders to 777. and also as far as i know nginx doesn't read .htaccess file that comes with you zip file.
So i am in a bit of jam here as all my folder accessible and don't know which permission should I set for which folder after install and how and what to add as the rewrite rule for nginx.
PS: I install the vanilla at root folder (htdocs) of my server not as htdocs/forum.
Thanks

Comments

  • x00x00 MVP
    edited February 2014

    You need to set up appropriate server ruels for nginx and as good file management practices. This can be very specific to setup, rather then ones size fits all. You there are tutorial but you need to understand the rules, and how they apply to you.

    Really you should never chmod 777 anything. This is a misleading statement, left over becuase cheap webhost make it impossible to do proper file management, especially assigning ownership which is a critical part of file management.

    Really as a webmaster, you should really aim to understand both file permissions and server rule properly. There is no really shortcut on that learning curve.

    Because sales driven splurge, people have the misleading impression that being a webmaster / server admin is a something that can be picked up over night. I not saying this is you, just pointing this out.

    You need a good grounding of nginx, before you use it.

    The reality is yes lot of people get by, but they don't really know what they are going and they are putting themselves at risk.

    grep is your friend.

  • @x00 so what should I change my folders permission to ( the chmod 777 .... was given by vanilla installer script ).
    the main question here would be what permission should I change my folders such as upload and .... .
    another Part would be the rules and rewrites for nginx. For example DokuWIKI has a page on secure wiki on nginx server which explains in details which directories or folders we don't want nginx to show in browser so we say to it to return Forbidden.
    I guess we have something like that here.
    I am looking for these information and how to apply them.
    1. what should my folders permission be now that i passed the installation process.
    2. what rules and rewrite do i need to put in my /etc/nginx/sites-available/vanilla.
    a. to discourage the access to certain folders in browser
    b. to translate the .htaccess to nginx rewrite rules

  • Herein lies the problem with sock replies

    I could say set you file permissions to 644 and folder permissions to 755 except in folder and file you want to be writable. However this isn't a good response at all, or necessarily accurate.

    Reason being is the real answer is you should set file permissions appropriately and conservatively. You should never treat file permission as absolute, they relate the owner and group. Appropriately assign them to the the right user, using minimum permission needed, and don't assume it always the same user/process. For instance php might be running through suPHP with a different user than user than for other files.

    My general advice create a user with limited capability. Assign that to files that only need view permissions. Allow view permissions, for other users on those files. For files that require write or execute, instead assign them only to the process user of that process, then set write or execute permissions for only that process user.

    Learning how to copy command verbatim will not help you with security, you need to understand what it actually doing, and the context of which it applies, and how that relates to your setup. You can't get that from stock replies, you need to cover some curriculum, such as a course. Then based on some knowledge you can then ask for help here checking your work based on a known objective. Right now you don't really know what is you want with regard to specific server requirements.

    There are examples of nginx server rules for vanilla, but I'm not goign to say they are complete, or necessarily apply to you. You need to understand them, and create server rule that are appropriate for you. There is always improvements.

    grep is your friend.

  • Well for first step do this with htdocs folder.
    chown -R USER:GROUP htdocs
    the USER:GROUP should be the user and group nginx is running on.
    that will save the hassle will permissions.
    so no worries there.
    In search of rewrite rules and forbidden rules for needed vanilla folders. :|

  • x00x00 MVP
    edited February 2014

    It will certainly not save you hassle, if a malicious script starts writing to files you have willfully given permission to write to.

    Believe me one of the dumbest things people do is assign all the files to the process user, to put them under their control. Most of the file only only need to read, it doesn't need to own at all.

    grep is your friend.

  • @x00; yes but it would help me which files just need to write or which one just need to read. Then from there the actual permission setup would be an easy tasks.
    It will be useful to have those facts. Don't you agree?

  • If there is a wiki page on that I have yet to see

  • x00x00 MVP
    edited February 2014

    The only files that need be writable are conf/config.php, uploads/* and chache/* that is it.

    Nothing else needs to be writable except possibly error logs, and to don't want to your logs publicly accessible.

    grep is your friend.

  • @x00 Permissions is an area I have been meaning to look at more closely. It is nice that Vanilla makes it easy with only a few things requiring write to run.

    I had the idea of assigning root as owner with new group webdevs as the group. My user would be a member of webdevs and I would assign 775 to directories and 664 to files that www-data doesn't require making any changes to.

    Based on your post, I would have to assign www-data as group for /conf/, /conf/config.php, and /cache/. What I'm not clear on is how to protect /conf/ from malicious writes. I can make an nginx rule for /cache/ to treat the contents as plain/text, but I don't see how to do that for /conf/.

  • Duh, I just answered my own question. User www-data can still save to /conf/ so long as it has write permissions on /conf/config.php.

  • @x00 said:
    The only files that need be writable are conf/config.php, uploads/* and chache/* that is it.

    Nothing else needs to be writable except possibly error logs, and to don't want to your logs publicly accessible.

    uploads folder perhaps.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @m_hmt said:
    If there is a wiki page on that I have yet to see
    @openletter said:
    Duh, I just answered my own question. User www-data can still save to /conf/ so long as it has write permissions on /conf/config.php.

    /conf/config.php is the only file should be written to.

    grep is your friend.

  • @openletter said:
    Based on your post, I would have to assign www-data as group for /conf/, /conf/config.php, and /cache/. What I'm not clear on is how to protect /conf/ from malicious writes. I can make an nginx rule for /cache/ to treat the contents as plain/text, but I don't see how to do that for /conf/.

    core file are inherently protected, however as everything is supposed to go through index.php you can make sure that fast cgi only routes index.php and no other php files are directly run.

    grep is your friend.

  • @x00 without making /conf/ writable config.php cannot be written to.

Sign In or Register to comment.