Archived ⇒ Cache Permissions

A few days ago, one of my shared webservers was hacked by someone who managed to sneak a script into one of my customers' broken phpbb scripts. The attacker managed to drop a script into his directory and began a script that effected every file that had permission set to writable for "other." There was minimal damage, but one of the affected sites happened to be one of my own that uses the Dragonfly CMS.

When the malicious script reached my site, it managed to drop a few files into /modules/coppermine/albums and /cache, and added a few lines of code into every php, html, or inc file it found it both directories. Obviously it didn't do much in the albums dir, but it completely destroyed everything in cache, making the site unusable. The problem was quickly remedied, however, by deleting all the files in the cache and letting the cms rebuild them itself.

This brings me to my question... If the site simply rebuilds the files anyway, does it really need them to be physical files in the first place? One less directory with 0666 permissions on my website will make me feel alot safer, and will prevent any downtime if this manages to happen again.

INSTALL.txt wrote

5) CHMOD the following directories to 755 (777 if 755 fails):
- cache
- modules/coppermine/albums
- modules/coppermine/albums/userpics
- uploads/avatars
- uploads/forums

Where did you come up with 666?

Welcome to DF Community 😄 If I could just take a minute to address this:

m4f0x's server specs wrote

(Server OS / Apache / MySQL / PHP / CPG-Nuke)
Dragonfly 9.0.6.1 ( Do you /really/ need to know anything else? )

Yes we really want to know it, and it is a requirement for support. Please include the link to your DF website too.
If you should need further assistance you wont have to add it again.

You can get your server's specifications by going to your administration section and clicking on the "System Info" link. Here is what you're looking for on that page:

• System - Server OS (General link at the top)
  
• Apache - Apache Version (PHP Modules link at the top)
  
• MySQL - MySQL Version (General link at the top)
  
• PHP - PHP Version (General link at the top)
  
• [CPG-Nuke - CMS Version (General link at the top)
  

Rules & Regulations

The 666 Came up because I didn't feel the files need to be executable. I've never ran into an instance where I needed a php script on a web server to need to be unless it was being run on a cron job or something. The server needs the read and write bit to access the files, however, because it's being run as the httpd user and not the user that actually own the files themselves.

I'm sorry, I should have clarified.

As for my version information, I've added it to my profile.

Erk... sorry, I don't know what I'm talking about. The permissions WERE set to 777 for the directories... and the files are modded 644.. I guess I'm not sure where I got 666 from x.x... It'd be silly to mark the directories without the executable flag or else the daemon wouldn't be able to access them. >.< Sorry again for all the confusion... [excuse]It's been a long week[/excuse].

My question still stands, though. Is it possible to run the CMS without the cache?

yes, no dir = no cache.

but it will be slower since it has to parce the data each request.

Thanks

I learned 2 things today! The cache is optional, and I really should spend more time thinking about my problem before posting questions ^.x;