Task #57354

Task #52668: Install Tool: Remove permission checking and fixing code from "folder structure"

Default file permissions recommendation schould be 0665 instead of 0660

Added by Markus Hölzle over 6 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
Start date:
2014-03-26
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The new install tool recommends file permissions 0660 for setting "BE/fileCreateMask". But 0660 doesn't work (at 1und1 server), 0665 works fine.
Same issue for "BE/folderCreateMask": the install tool recommends 2770, but only 2775 works.
If I set the recommended file permissions (screenshot is attached), you can't load the images via browser (Error 403 - Forbidden).


Files

error.png (20.4 KB) error.png Markus Hölzle, 2014-03-26 21:42
#1

Updated by Jan Radecker over 6 years ago

0665 may work but it is wrong. Normal files do not need nor should have execute permission.

0664 would be right.

#2

Updated by Markus Hölzle over 6 years ago

You are right, the permission 0664 and 2774 also works fine

#3

Updated by Gerrit Code Review over 6 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28917

#4

Updated by Jan Radecker over 6 years ago

2774 for directories is also wrong. 2775 was fine.

Please read [[http://de.wikipedia.org/wiki/Unix-Dateirechte#Oktalnotation]]

#5

Updated by Ernesto Baschny over 6 years ago

  • Status changed from Under Review to Needs Feedback
  • Target version set to next-patchlevel
  • Parent task set to #52668

Recommended is "0660 and 2770", because world readable files is not something we should recommend for security reasons.

The "shipped defaults" are still "0664" and "2775" because it works on every setup (like 1and1).

So one idea might be to explain this a bit better to new users which are just using the defaults and wondering why they are not recommended:

  • if you are running with the "defaults" (0664 and 2775), we should not issue a Warning but a Notice instead (no "2" red badge in the Install Tool).
  • the Notice in the screen should then inform that you are using the defaults, which is fine, but for security reasons you should consider 0660 and 2770, but being aware that it might not work with every hoster.

What do you think?

#6

Updated by Gerrit Code Review over 6 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28917

#7

Updated by Frans Saris over 6 years ago

I'm also for changing it from warning to notice. The warning results in a message in the system report email.

#8

Updated by Gerrit Code Review over 6 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28917

#9

Updated by Markus Hölzle over 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#10

Updated by Benni Mack about 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF