Dear Staff,

I received the following letter from my webhost. My question to you, will this change affect how I am able to navigate as an administrator on my website?
I recently tried remove a user from "groups" and was directed to a blank page.
I never had a problem with this before until my webhost did these security updates.

I would love to know your opinions of this. I sent a very unhappy email to my webhost about this.

I suppose I should have checked here first to find out if these security measure will alter my ability to use cpgnuke.

Thanks for your comments or suggetions.

Heres there letter:

Mel's Webhost wrote:

Hello Mel, A number of software upgrades have been implemented on our servers in the last 24 hours; including updates to Apache, our FTP daemon and PHP. Other changes have also been made in the interests of improved server security. As result of these changes, we need all our clients to ensure any PHP files or application templates within their accounts are set to chmod 754 or 755 as soon as possible. Also, no file within your accounts should have a chmod permission level ending in 2, 6, or 7 - for example, 777, (last 7), as this poses a very real security risk. If you're not sure what chmod is, or how to use it, please view our chmod tutorial. Most FTP software has built in chmod functionality - details on this aspect are towards the end of the tutorial. We have also implemented suPHP. suPHP is a tool for executing PHP scripts with the permissions of their owners - a much more efficient and secure method. What this change means is that anything in your .htaccess files that begins with "php_" needs to go in its own file, e.g. php.ini. Then, in the .htaccess file you would put, for example: suPHP_ConfigPath /usr/home/www/username/path/to/php.ini Our System Administrator, Dan, has already made these changes to client .htaccess files, but in the unlikely event it may have been missed, this can present as an Internal Server Error (Error 500).

Thanks for your attention to this matter.

All these are ideas I would implement, however. Coppermine and certain features in forums (groups as you noticed) for instance will not work with these settings.

You need 777 access to create the directories (unless root is your apache user) due to the current code base in use. This is not new or recent code so it's not something that is easily fixable.

I've practically given up with coppermine on my last two hosts due to issues much like this. I also do not allow any uploading or downloading to the site since this will require less secure settings to work effectively.

So for your situation I can only offer two suggestions. Discuss your needs and ensure they work 100% to your satisfaction with your current host, or deem their new standards not up to your requirements for web hosting and ask that they mutually break the agreement and offer you a refund for your unused portion of hosting.

By law, if the conditions of a contract change substantially you can ask to reevaluate the terms and conditions just as if you were initially considering them.

Sorry this doesn't better directly answer your question, but I hope to have provided you with some of the potentials upcoming and how to deal with them effectively.

Sincerely,

There shouldn't be any problem when PHP is run in suexec IF THEY set it up properly.
This means the server realy runs on your UID then when creating a directory or file shouldn't be a problem in CHMOD 755/644 because you are the owner of file and directory.
BUT if PHP is still identified as the UID "nobody" there is no way you can comply to the rules they gave you, and they are in error since they ask something from you which is not possible due to the lack of their server knowledge.

Also they have to CHOWN your previous created directories and files which are owned by UID "nobody" since PHP (if proper setup) is not allowed to modify/delete those files because you are not the owner.

I can discuss this not enough but this again states that server admins lack the knowledge how to setup a secure server for clients while they try something what is found on some geek forum and don't know the background on how it works (the silly safe_mode is one of these)

After reading your reply, and giving my webhost admin access to my site, we did discover the issues I was having was not caused by their security changes. "Whew!"
My webhosts tech support was very patient and tentative to my concerns. And often they go beyond what is required to help me maintain my website. What a relief.

I am going to do a search on the forum to see if the issues I am having were already posted here on CPGNuke. Now my issues do not apply to this topic or forum. Go figure. lol

It is a relief to know that the security measures taking by my webhost, shouldn't effect my site, and they are willing to work with me in any event.
I do appreciate your quick reply and input.

Now, wheres that "Search" button... lol

Ok, after trying to search for an answer I was unsuccessful.

I am unable to add/remove or do any modifications to my "User Groups" since my webhost changed their security settings.
Rather than explain what they need, I am going to copy and paste their questions to you and hope you can help us.

Quote::

Hi Mel, I can't tell whether the problems are caused by the new permissions on our server or not since I do not know what causes them. An error message would be very helpful here, but since we have none, if you could please get more information from CPG Nuke as to what code may cause the problem - they know their program much better than we do - or at least tell us what were the permissions that you had to set when you installed the software so that we can review them, it would greatly help us to find out what causes the blank pages and fix that problem. Thanks!

Then I received this one;
After ask my wehost if I am able to CHMOD 777 any files, once I locate the file for groups.

Quote::

Hello Mel, Right now we have a script running that removes the world writeable bit on all files. Basically that means that chmod 777 is not allowed. It should never be needed. All files should be executed as the user, so you should only ever need a 7 in the first position. As such, you should never need anything more than 754 permissions for files. In the case of PHP files or cgi scripts, no file should ever need to be chmod higher than 750. With this setup, any PHP script (or cgi script) run from your web account will create directories as you ( user name ). This removes any need to have chmod 777. I know this is all a bit confusing, but rest assured it plugs up a potentially huge security hole. If you want to run some more tests after inquiring with the CPG Nuke team let me know and I will do what I can to help you troubleshoot this. There is still a chance that the security settings are causing something to act funny, but it should not be anything that we can't fix. Thanks for your patience!

Can you help us?
If you need to log on to my site as Admin, I have created an Admin account and two "testuser" names.
I would be glad to send this too a CPGnuke Team member via Private Message if necessary.

EDIT*** let me add this... my webhosts extreme security measures has totally debunked MY Coppermine.
No ability to upload anymore. <<crys>>
*sigh*

Mell to check if your did setup everything properly use the following:

PHP:

<?php if (!writeable('modules/coppermine/albums')) die('Cann\'t save file'); if (!($fp = @fopen("modules/coppermine/albums/cpg_test.log", "a+"))) die('Can\'t open file'); flock( $fp, LOCK_EX ); // exclusive lock // write to the file fwrite( $fp, 'test to write message' ); flock( $fp, LOCK_UN ); // release the lock fclose( $fp ); die('file saved');

Check if it works and saves a file at modules/coppermine/albums/cpg_test.log

755 is needed for directories or Apache dies on sub-directories because it must be able to "execute" a directory.
644 must be a file so that the world has read access and you have write access

CHMOD 755 seem to work fine for the Coppermine. My webhost made all the necessary changes for me, and got it up and running.

I learned something new about security. Not knowing the dangers that could be associated with keeping my files at CHMOD 777.

Thank you for your help!