Trying to secure cache permissions stricter than 777

My site got hacked last week (one of the reasons I'm trying to update from 1.2.6 to 1.2.9.

I stupidly left the zp-data folder permissions set to 777 and somebody dropped a phishing scheme into that folder. Not sure how they did it, but it's made me want to lock down everything as much as possible permission-wise.

I can't get zenphoto to run on my home machine or my server without the cache folder being set to 777. Can someone please explain how it is possible to run zenphoto with the cache folder set on 755? I really don't want to leave any folder permissions set on 777 after my bad experience.

Are there any questions/settings I can ask my ISP to make to the server (or make to the server on my home machine) to get this to work? I haven't been able to find any documentation beyond, "if it doesn't work, you'll have to set permissions to 777."

Thanks in advance for any advice. I truly appreciate the support and kindness from this forum!

Comments

  • It's always best to upgrade. :)

    The last publicly known exploit was with 1.2.5, if I'm not mistaken. Not sure if that exploit held over to 1.2.6, but it's been fixed over time.

    The permissions are really what the server will allow. It may be that your server does not allow any stricter permissions than 0777. It all depends on how your provider has set the server up. You could ask your provider if it would be possible to make permissions stricter, as it's up to them what the server allows.
  • I'm pretty clueless about these things -- just know enough to get myself in trouble :)

    I have the ability on my ISP server and my home server to change the permissions of files and folders. I know how to do that much. I set Zenphoto to be on strict permissions 755, and when I did this it told me I had to change the folders manually, which I did. After doing so, on both my ISP server and home server, I get a "Error Cache Directory Not Writable" message and don't see images.

    Is it a matter of the server seeing zenphoto as being part of a group? Trying to understand what to ask my ISP to do in terms of setting, and also see if I can alter the settings on my own computer/home server to make it work.

    Hope that makes some sense!
  • acrylian Administrator, Developer
    @kagutsuchi: That old 1.2.5 exploit is surely fixed. It might not be Zenphoto's fault that the server got hacked.

    @harootun: Regarding permissions please also read: http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#29
    In any case I would contact your host.
  • @acrylian: I know that it has been fixed by now, but I wasn't sure if it had been fixed for 1.2.6. :)

    @harootun: You should be able to use the article acrylian posted to explain to your host what permissions are recommended.
Sign In or Register to comment.