Owner of files/dirs

You should chown all the files in the public directory to the account owner. So if the owner of the account was "example" you would chown -R example:example

I know on a Cpanel account if you don't change the default username it's normally the first 6 or 7 letters of the domain name.

Also delete everything (exempt the .htaccess) in /cache, /cache_public and /tmp after you fix the ownership.

Thanks for your tip, so if i understand right (i not use CPanel), after i uploaded all files with "root" to my dedicated servers htdocs-directory (which runs php5-cgi fcgid)  i did a

chown -R example:example htdocs/*

before i added a user

adduser example
adduser www-data example

so all files and folders now belong to user example which is in the group of apache www-data.

This is what makes me confused, if php runs in the context of example, then somebody broken into the website has the full rights to all files or? so where is the point in settings all files being writeable with 644 or 755 etc? Shouldn't the owner have no write access to read only files?

I thought all static files that dolphin never touches should have "root" as owner and group "example", so the files never can be changed even somebody breaks in. Maybe i have an error in reasoning but thats really i worry about.

By the way, running php5-cgi/fcgid (FastCGI) it is neccesarry to lock the php process into the directories, from what i know i have to do this with the openbase_dir = ....../htdoc statement. Why dolphin needs this one to be empty? That also breaks every security from what i know and what my hoster tells me. What if i lock php anyway with openbase_dir?

Also what about setting all read only files with the immutable bit (ext2/ext3) ? if i could only find a list which tells me which files/dirs need to be readonly and which not. Boonex should make such one so website owners can harden their website. :(

What you are saying makes sense from the security standpoint but I think it will be difficult to try and determin which files to set to root and which files not to. Again my knowledge is limited to only Cpanel/WHM setups because that is all I have ever used.

It's my understanding that the advantages to having everything owned by the account is:

1. If someone does break into that site they won't be able to access the files on any other account

2. The script itself can add/delete/modify files if it needs to.

3. You don't have to set any directory to 777 (depending on how you have php setup).

I have mine setup as fcgid also. I guess if you only have one site on the server there really aren't that many advantages to having everything owned by the user account.

I think you make some very interesting points. Maybe I've been looking at everything the wrong way.

Oh you are fast :) I already edited my post before with some more questions and concerns. :)

Is Boonex reading also the forums? I am really new to here.

Boonex very rarely reads the forums. Most of the people here are just other users and a small (but highly skilled) team of moderators... and by team I mean mostly Nathan.

About the immutable bit, I've never really experimented with that at all so I'm not sure.

You can find a list of the files and directories that Dolphin needs to be writable by going to:

Administration -> Tools -> Host Tools -> Permissions

So if it isn't on that list you should be fine making it read only...

Oh and welcome aboard!

Yeah i know, but it not tells me the needed owner :)

Btw i really dont trust this permission checking. I think it rather checks if

"dolphin can work"

instead of

"dolphin can work AND website is secure with lowest possible rights set"

Edit: Boonex, I made a stupid mistake and clicked on "report" for "mscott's" post before. I am still sleepy and saw "reply" lol. What a bad feeling i have now.... But maybe also good then now Boonex will read this thread, haha.

LOL, it's ok... the "reports" here don't go anywhere :-)

You're correct, it is really just saying it will work but not really if it's secure.

Are you using mod_security?

Yet i dont have this installed, but thats a good point. Is it easy to implement (together with Dolphin)? i never did that before. Maybe you can point me to a good instructions for running with dolphin?