Symphony.

Hi all,

I’m a front-end dev who recently requested a Symphony install on our production servers for a small corporate site. Unfortunately, our technical guy seems to have pretty serious security concerns about the system. Apparently, Symphony requires write access to the root directory in order to work and he is really not happy about it (something to do with the htaccess file I am told). I have scoured the web in search of people with similar concerns to no avail. I also stumbled across this http://forums.cnet.com/7726-6132_102-3374234.html which seems to be a fairly recent issue although it seems not related.

As you’ve probably guessed, I’m not versed in server security so I’d appreciate any information you could provide that would help me understand and resolve the problem or at least reassure my colleague.

Many thanks.

That issue that you have linked to has been resolved in Symphony 2.1.2 through a few code changes and by providing uses with the XSS Filter extension to sanitise data inputs.

Symphony only requires the access to install, not to function. The recommendation is to 777 is to prevent any permission errors that would block the installation. There is a following recommendation in the README to then change the permissions back after installation.

FYI for your technical guy, the only files written are the .htaccess, a manifest folder with 3 empty directories, tmp, logs and cache and one file config.php and finally an empty workspace folder. It is required that the manifest be writable (and readable for that manner). The .htaccess file contains rewrite rules required for Symphony to function.

During development, the workspace folder should be writable so that new Events, Datasources and Pages can be written to disk, but for a production site, these can be lock down to read only.

If you have any other concerns or queries, please ask!

Thanks Brendo! I’ll pass on this info to the techies and will get back to you if any other concerns arise.

Cheers!

As for the bugs in the CNET article, these have been patched in the current 2.1.2 release, both in the core and with the addition of an XSS extension to filter your user generated content.

Symphony only requires the access to install, not to function.

Usually I set up and develop my Symphony-sites on my local server (and don’t really care about taking the access rights after installation) and deploy it at a later stage.

During the deployment I manually create the manifest/config.php file as well as .htaccess and only give write access to tmp/, logs/ and cache/ inside manifest/.

Thanks everyone for your help. Let’s see if this does the trick ;)

I'm looking for a list of folder pemission correct to improve security in shared hosting. I checked the default and was 755 on major folders. Try set to 644 some core folders but hide files inside from FTP, it's normal?

I know that de logs, tmp, cache need set to 755 etc. But I think that only this folder can be 755 correct?

Thanks.

@marciotoledo, as I understand it, directories should usually be executable to users who need to read what's inside so that they can be cd'ed into (the user your FTP client identifies itself as, for example).

If you want to set a directory to be read-only to only its owner, I think you'd make it 500, but you wouldn't do this if your FTP user and webserver user are two different Unix users. Read-only to everyone: 555.

The same for files: 400 or 444.

Which you choose will depend on your webserver's Unix user/group setup.

Why do directories need the executable (X) permission to be opened?

Hi @DavidOliver thank you for explain. Today I have some projects on Dreamhost Shared Server, and looking for a additional adjusts to avoid some security problems.

I'm thinking about to move to VPS Plan for some "important" projects maybe it is a good solution for security and performance.

I don't know much about Linux / Webserver security but have trouble on two projects with php files injected. So I'm online try avoid this repeat.