TYPO3 Mailingliste: nicht fragen - lesen!

I have a couple of typo3 sites on hostrockets.com that get hacked almost
weekly. I've implemented as many of the security suggestions as possible
in Security Cookbook at: http://typo3.org/teams/security/

I tried setting all subdirectories to non-world writable even though this
disables image and file uploads.

Is there a list somewhere showing the necessary permissions for each
subdirectory and that shows which files need to be world writable?

Thank you,
Tracey


_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

hey Tracey,

you need to check how and what happens really closly.
Then you can possibly track back how you are getting hacked.

In any case, one advice is to NEVER set a file
to world writable. Ask your webhoster what the proper
permissions are for your user and group that runs
your server under. He should know, if he doesn't know
then find a a hoster that does know. But never make a
directory or file world writable.

Ries


On Jun 5, 2007, at 7:18 PM, Tracey Hummel wrote:

>
> I have a couple of typo3 sites on hostrockets.com that get hacked
> almost
> weekly. I've implemented as many of the security suggestions as
> possible
> in Security Cookbook at: http://typo3.org/teams/security/
>
> I tried setting all subdirectories to non-world writable even
> though this
> disables image and file uploads.
>
> Is there a list somewhere showing the necessary permissions for each
> subdirectory and that shows which files need to be world writable?
>
> Thank you,
> Tracey
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english (AT) lists (DOT) netfielders.de
> http://lists.netfielders.de/cgi-bin/.../typo3-english

--
Ries van Twisk
Freelance Typo3 Developer
email: ries (AT) vantwisk (DOT) nl
web: http://www.rvantwisk.nl/
skype: callto://r.vantwisk




_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

How does the upload of files from the fileadmin work without
world-writable subdirectories?

Fantastico installs of typo3 appear to leave everything wide open.

Thank you,
Tracey




On Tue, 5 Jun 2007, Ries van Twisk wrote:

> hey Tracey,
>
> you need to check how and what happens really closly.
> Then you can possibly track back how you are getting hacked.
>
> In any case, one advice is to NEVER set a file
> to world writable. Ask your webhoster what the proper
> permissions are for your user and group that runs
> your server under. He should know, if he doesn't know
> then find a a hoster that does know. But never make a
> directory or file world writable.
>
> Ries
>
>
> On Jun 5, 2007, at 7:18 PM, Tracey Hummel wrote:
>
>>
>> I have a couple of typo3 sites on hostrockets.com that get hacked
>> almost
>> weekly. I've implemented as many of the security suggestions as
>> possible
>> in Security Cookbook at: http://typo3.org/teams/security/
>>
>> I tried setting all subdirectories to non-world writable even
>> though this
>> disables image and file uploads.
>>
>> Is there a list somewhere showing the necessary permissions for each
>> subdirectory and that shows which files need to be world writable?
>>
>> Thank you,
>> Tracey
>>
>>
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english (AT) lists (DOT) netfielders.de
>> http://lists.netfielders.de/cgi-bin/.../typo3-english
>
> --
> Ries van Twisk
> Freelance Typo3 Developer
> email: ries (AT) vantwisk (DOT) nl
> web: http://www.rvantwisk.nl/
> skype: callto://r.vantwisk
>
>
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english (AT) lists (DOT) netfielders.de
> http://lists.netfielders.de/cgi-bin/.../typo3-english
>
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

On Jun 5, 2007, at 8:59 PM, Tracey Hummel wrote:

>
> How does the upload of files from the fileadmin work without
> world-writable subdirectories?
>
> Fantastico installs of typo3 appear to leave everything wide open.

Apparently fantastico is not fantastico...

You need to make sure that you have enough right to write,
which basically means you run the apache server as the correct user,
or you are part of the apache group. (first one is more usual).

If you get this from your hoster, then you should seriously complain
to them.

PS: Using the install tool you can setup user/group permissions to let
typo3 write as the correct user including permissions.

Ries

>
> Thank you,
> Tracey
>
>
>
>
> On Tue, 5 Jun 2007, Ries van Twisk wrote:
>
>> hey Tracey,
>>
>> you need to check how and what happens really closly.
>> Then you can possibly track back how you are getting hacked.
>>
>> In any case, one advice is to NEVER set a file
>> to world writable. Ask your webhoster what the proper
>> permissions are for your user and group that runs
>> your server under. He should know, if he doesn't know
>> then find a a hoster that does know. But never make a
>> directory or file world writable.
>>
>> Ries
>>
>>
>> On Jun 5, 2007, at 7:18 PM, Tracey Hummel wrote:
>>
>>>
>>> I have a couple of typo3 sites on hostrockets.com that get hacked
>>> almost
>>> weekly. I've implemented as many of the security suggestions as
>>> possible
>>> in Security Cookbook at: http://typo3.org/teams/security/
>>>
>>> I tried setting all subdirectories to non-world writable even
>>> though this
>>> disables image and file uploads.
>>>
>>> Is there a list somewhere showing the necessary permissions for each
>>> subdirectory and that shows which files need to be world writable?
>>>
>>> Thank you,
>>> Tracey
>>>
>>>
>>> _______________________________________________
>>> TYPO3-english mailing list
>>> TYPO3-english (AT) lists (DOT) netfielders.de
>>> http://lists.netfielders.de/cgi-bin/.../typo3-english
>>
>> --
>> Ries van Twisk
>> Freelance Typo3 Developer
>> email: ries (AT) vantwisk (DOT) nl
>> web: http://www.rvantwisk.nl/
>> skype: callto://r.vantwisk
>>
>>
>>
>>
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english (AT) lists (DOT) netfielders.de
>> http://lists.netfielders.de/cgi-bin/.../typo3-english
>>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english (AT) lists (DOT) netfielders.de
> http://lists.netfielders.de/cgi-bin/.../typo3-english

--
Ries van Twisk
Freelance Typo3 Developer
email: ries (AT) vantwisk (DOT) nl
web: http://www.rvantwisk.nl/
skype: callto://r.vantwisk




_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Hi Tracey

The Installation thru fantastico isn't the best. We had similar problems and
since we started using the TYPO3-Instalation from webempoweredchurch the
hacking was gone. They provide also a good tutorial how to secure your
installation as there package is based on the TYPO3.org download it is
"closed" WEC is providing a script to only set readable to those folders
which are really needed by TYPO3.

have a look here and check it out www.webempowerdchurch.org .com = forum

Nevertheless it is still 777 then those open folders

To secure your TYPO you have to do exactly what the installtool is telling
you.

Go inside the install tool
All Configuration

*[fileCreateMask]* File mode mask for Unix file systems (when files are
uploaded/created).

*[BE][fileCreateMask] = 0660

**[folderCreateMask]* As above, but for folders.

*[BE][folderCreateMask] = 0770

**[createGroup]* Group for newly created files and folders (Unix only).
Group ownership can be changed on Unix file systems (see above). Set this if
you want to change the group ownership of created files/folders to a
specific group. This makes sense in all cases where the webserver is running
with a different user/group as you do. Create a new group on your system and
add you and the webserver user to the group. Now you can safely set the last
bit in fileCreateMask/folderCreateMask to 0 (e.g. 770). Important: The user
who is running your webserver needs to be a member of the group you specify
here! Otherwise you might get some error messages.

*[BE][createGroup] = nobody


-----------------
***

find these entries and change them to the settings shown here. I guess that
you are on a shared hoster?
Before you do it you should check if you have

ssh access .

AND
if your hoster is willing to change your folders/files always back to
user:nobody

You will need your hoster to change the group settings of your files as you
won't have the rights to do this.
Your files created by TYPO3 will have nobody:nobody settings and won't be
readable by your cpanel or ftp - but you can use quixplorer from inside
typo3!
Files and folders created by cpanel and ftp will be are user:user and with
settings 770 660 TYPO3 will have problems to read them too. So the only
solution will be to mix both settings like it is described in the install
tool.

--------
Hi community
If someone gets a better solution we also would prefer to hear about it.
What exactly should be the securest settings on a shared hoster? so that on
the one side you will have a safe surrounding and on the other side still be
able to access your files WITHOUT always contacting your Hoster.

Imhosted Support - which is great - one of our sharedhosters is meanwhile
belonging more or less to our company ;-) because of all this but it is
sometimes boring to wait - even they have 24h support - until you will be
able to access your files and folders again.

We have chosen this way with the Hoster as we haven't found another way to
do it. BESIDE getting a vhost or an own dedicated server where you have
admin rights (but probably also all the problems to secure your server for
all the rest which could occure to get hacked.

Andi

**

2007/6/6, Tracey Hummel <tracey (AT) uainfo (DOT) arizona.edu>:
>
>
> How does the upload of files from the fileadmin work without
> world-writable subdirectories?
>
> Fantastico installs of typo3 appear to leave everything wide open.
>
> Thank you,
> Tracey
>
>
>
>
> On Tue, 5 Jun 2007, Ries van Twisk wrote:
>
> > hey Tracey,
> >
> > you need to check how and what happens really closly.
> > Then you can possibly track back how you are getting hacked.
> >
> > In any case, one advice is to NEVER set a file
> > to world writable. Ask your webhoster what the proper
> > permissions are for your user and group that runs
> > your server under. He should know, if he doesn't know
> > then find a a hoster that does know. But never make a
> > directory or file world writable.
> >
> > Ries
> >
> >
> > On Jun 5, 2007, at 7:18 PM, Tracey Hummel wrote:
> >
> >>
> >> I have a couple of typo3 sites on hostrockets.com that get hacked
> >> almost
> >> weekly. I've implemented as many of the security suggestions as
> >> possible
> >> in Security Cookbook at: http://typo3.org/teams/security/
> >>
> >> I tried setting all subdirectories to non-world writable even
> >> though this
> >> disables image and file uploads.
> >>
> >> Is there a list somewhere showing the necessary permissions for each
> >> subdirectory and that shows which files need to be world writable?
> >>
> >> Thank you,
> >> Tracey
> >>
> >>
> >> _______________________________________________
> >> TYPO3-english mailing list
> >> TYPO3-english (AT) lists (DOT) netfielders.de
> >> http://lists.netfielders.de/cgi-bin/.../typo3-english
> >
> > --
> > Ries van Twisk
> > Freelance Typo3 Developer
> > email: ries (AT) vantwisk (DOT) nl
> > web: http://www.rvantwisk.nl/
> > skype: callto://r.vantwisk
> >
> >
> >
> >
> > _______________________________________________
> > TYPO3-english mailing list
> > TYPO3-english (AT) lists (DOT) netfielders.de
> > http://lists.netfielders.de/cgi-bin/.../typo3-english
> >
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english (AT) lists (DOT) netfielders.de
> http://lists.netfielders.de/cgi-bin/.../typo3-english
>
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Dear Ries,

Ries van Twisk wrote:

> You need to make sure that you have enough right to write,
> which basically means you run the apache server as the correct user,
> or you are part of the apache group. (first one is more usual).
>
> ...
>
> PS: Using the install tool you can setup user/group permissions to let
> typo3 write as the correct user including permissions.

As this issue

- is _so_ important to _every_ TYPO3 driven web site,

- and the typical TYPO3 download has nothing, to ensure the right
permissions (IMHO, unless I have not seen some essentials, again)

- and really _many_ hosters ain't be able to do it right

would you mind, to share your knowledge with us?
As verbose as possible (including *nix user/group setup, the Apache
user/goup setup etc). Adressed at me/us/stupid hosters/the world.

1. If you wanna be payed for that, just tell me the price by private
email.

2. If that info would reveal too much info to potential attackers,
again, please write a private email to me.

If none of 1/2 applies, your knowledge should be (at least) documented
in the TYPO3 documentation, but better be incorporated into _every_
TYPO3 install (say, as a shell script, driven by some user/group IDs
from the install tool).

Best regards
--
___ ___
| + | |__ Georg Rehfeld Woltmanstr. 12 20097 Hamburg
|_|_\ |___ georg.rehfeld.nospam (AT) gmx (DOT) de +49 (40) 23 53 27 10

(Delete .nospam from mail address)
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Maybe one solution could be to use this extension:

http://typo3.org/extensions/reposito...y_check/0.1.4/

Maybe some CoreDEV should have a look at it to see if it's the kind of
addition worth integrating into core...

In a way it should/could be merged into the install tool...

What people here think?

Patrick
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Thanks Georg

You are really speaking from our hearts here! I already asked many times in
forums to get a good description in HOW to setup the user:group rights and
permissions in the right way but until now noone really replied so that you
knew what to do.

Dear Ries

It would be really appreciated to post here what the right settings are.

There aren't much possibilities from concerning user:group (especially on
shared servers

user:nobody
nobody:nobody
user:user
nobody:user

We are using the first possibility but we are also having the problems I
described before with accessibility of folders and files i.e. after an TER
update. TYPO3 can read the files but if you need to copy i.e. template files
from an TER updated extension then you first have to contact your hoster to
change this specific extension and all subfolders and files from
nobody:nobody to user:nobody

To set the file permissions to 660 770 we are using the following script:

#!/bin/sh
while true; do
echo "This script will set the T3Pack permissions of several directories
to 770, making them readable, writeable, and executable by anyone else on
this system."
echo -n "Are you sure you want to set the permissions this way (Y/N)? "
read yn
case $yn in
y* | Y* ) chmod -R 770 */typo3conf;
chmod -R 770 */typo3temp;
chmod -R 770 */uploads;
chmod -R 770 */fileadmin;
break ;;
n* | N* ) exit ;;
esac
done
---------------------------------

Thanks Ries and Georg please share your knowlegde or solutions how you
solved the problem

Andi


2007/6/6, Patrick Gaumond <patrick (AT) typo3quebec (DOT) org>:
>
> Maybe one solution could be to use this extension:
>
> http://typo3.org/extensions/reposito...y_check/0.1.4/
>
> Maybe some CoreDEV should have a look at it to see if it's the kind of
> addition worth integrating into core...
>
> In a way it should/could be merged into the install tool...
>
> What people here think?
>
> Patrick
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english (AT) lists (DOT) netfielders.de
> http://lists.netfielders.de/cgi-bin/.../typo3-english
>
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Hi Patrick,

Patrick Gaumond wrote:
> http://typo3.org/extensions/reposito...y_check/0.1.4/
>
> Maybe some CoreDEV should have a look at it to see if it's the kind of
> addition worth integrating into core...

This extension does not provide security checks in the sense of checking the
source code of an extension for SQL injections, CSS and so on. The
extension is doing checks on configuration settings. Something the install
tool is already doing.

Although the extension has been enhanced since I first looked at it IMHO
only the items 42 - 44 [1] are of interest regarding file permissions.

[1]<http://typo3.org/documentation/document-library/extension-manuals/security_check/0.1.4/view/1/1/>


Cheers,
Andreas
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Hey,

If you use SELinux on a RHEL or CentOS server, there is additional care
to take of. You need to set the same user / group and the same security
context as apache in order for apache to serve any file at all.

Apparently this is not the issue here. But just so you're prepared .

--
greetings,
benni.
-SDG-

www.xnos.de // www.xnos.org
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english