flatpressblog / flatpress

FlatPress is a lightweight, easy-to-set-up flat-file blogging engine.
https://flatpress.org
GNU General Public License v2.0
185 stars 57 forks source link

Check default file permissions #173

Closed azett closed 7 months ago

azett commented 1 year ago

Question by Rudra on Twitter:

Why does setup.php change the permission to 777 globally in the flatpress webroot? Isn't 640 better?

Legit question - needs to be inspected.

Fraenkiman commented 1 year ago

Hello all,

In fact, some files and directories require full access, both for users and groups. Historically, until June 2011, rights management was handled by core.filesystem.php and plugin.thumb.php. For simplification, which is a good thing, the rights management then moved to the default.php file. However, until Octoper 2023 not the FlatPress setup changes the permission. The default values of the permission 0777 are only read via the defaults.php - not executed. To do this, you must actively "reset the permission" in the administration area in the Maintenance panel.

Unfortunately, not all web servers are set up optimally, and the Flatpress admin does not have access to the server's permissions; possibly also not enough knowledge to secure the web server. Therefore the solution "Everyone is allowed to do everything (777)" is the easiest - and guarantees that FlatPress will run.

There are two possible solutions:

  1. In the administration area, a maintenance mode with the permissions 0775 is provided in the Maintenance panel. In online mode, the permission is lowered to a smaller level.

or

2. the PrettyURLs plugin already offer the possibility to install a predefined .htaccess file. It may be possible to bag a little more security over this. But again, the webserver must support .htaccess.

@azett , what do you think about this?

With best regards Frank

Fraenkiman commented 1 year ago
Fraenkiman commented 7 months ago

I am closing this issue because we have found a good middle ground. It can be reopened if required.