So which files do I have to set the write permissions for? Am i missing something here? Or do I have to go through every file in magento and set the permissions for each one? That seems a bit far fetched....
As I posted here: http://www.magentocommerce.com/boards/viewthread/5395/#
i would not recommend to change the permission to just about everything recursively as the command that you use might do so.
Here is a command that you can run on your SSH window to CHMOD only the directly and the subdirectories but not the files under those directories:
find [YOURDIR] -type d -exec chmod 777 {} \;
All you have to do is to go to your magento installation directory on your server through SSH and from that directory type this command:
find . -type d -exec chmod 777 {} \;
This will change the permissions of only directory and subdirectories under magento; which changing the permissions on the magento directory itself as you do not need to have it changed.
Obviously it would be better to know exactly which directory(ies) need this fix and only apply this change to them.
I used a FTP to change all the permissions recursively. My magento files are all just loaded to the base directory, there is a plesk folder in that directory that can not be changed. I still get permission error for magento connect. Would the plesk have something to do with it?
Well ftp programs tend to change everything including files when you chose to change recursively.
I would recommend contacting your hosting provider and ask them to run the command that we submitted earlier or to simply change all your directory permissions to 777 and all your files to 644 in your Magento installation folder.
This is a very important topic and I hope my voice here gets through to the guys at Varien.
I think Magento and Connect/PEAR feature runs beautifully on a suPHP/suExec when every process is run as a user rather than apache
The beauty of suPHP/suExec is that you never have to worry about CHMODs/permissions again. Most hosting companies who have suPHP/suExec, the users never even have to even touch CHMOD, everything will just work out of the box hands free. And it also keeps your script virtually bullet proof secure because no one else in the system will have access to your files.
I hope more hosting companies catch onto suExec/suPHP because there is no reason for anyone to have user’s file be set to 777. This is a very bad idea, almost same as exposing your files to virtually anyone in the server with an SSH access.
If Varien wants to make a secured open source applications, they should just allow PEAR/Magento Connect to be only accessible for hosting companies with suPHP/suExec. I see very bad things happening for other users who are not on a suExec environment, it could certainly be a rampant hack in the future.
I did find a wiki mentioning about magento’s file permissions at http://www.magentocommerce.com/wiki/magento_filesystem_permissions
I think there needs to be some kind of a “Warning” to users who run on mod_php environment as it is not a safe thing to do.
We are on suPHP/suExec and we take security very seriously here for our clients. It was one of the first thing we took measures when we started off providing hosting for Magento. We hope others follow their steps before any kind of problem arises for them.
To anyone who is still chmodding their ways to their Magento, ask your host if they support suPHP/suExec or not. And if they don’t, I seriously consider you to have them implement the feature or find different hosting.
As for Crucial, I think you got a lot of things wrong here and I’d have to agree with Ron Siegel in that it is now hard for me to put any trust into what you say. You bashed shared hosting companies for security but in reality it’s the other way around. It looks like your “split-shared” is the one with the security flaws.
SuPHP solves most of web security flaws, as each web process works like a container for each users in the system, which is the way it should have been all along.
Most companies now a days are in fact on suPHP/suExec such as hostgator/hostmonster/godaddy etc.. etc...ours included...and there is a pretty good reason why almost no one have adapted the split-shared practice because realistically, as it is really not that beneficial for the hoster nor the customer when you get even more security and performance out of a good shared hosting setup.
And I think it’d be nice if you can just rephrase your statements about shared hosting and actually respect those companies who knows how to secure their servers, because quite frankly speaking, I’m pretty sure you have offended many other companies out there by that statement let alone a incorrect statement at that as well. You’d expect all shared hosting to go out of business if it were true, and you might want to second guess why no one have adapted the practice of split-shared hosting.
I think there needs to be some kind of a “Warning” to users who run on mod_php environment as it is not a safe thing to do.
This is incorrect information - mod_php can be and is a very safe hosting environment configuration. Modern versions of PHP include many additional security features that help to flatten the security landscape of the web server.
ask your host if they support suPHP/suExec or not. And if they don’t, I seriously consider you to have them implement the feature or find different hosting.
There are many factors to consider in choosing a host. I would consider things such as , client isolation/density, external/internal security measures, support, performance and the companies character above all else.
As for Crucial, I think you got a lot of things wrong here and I’d have to agree with Ron Siegel in that it is now hard for me to put any trust into what you say. You bashed shared hosting companies for security but in reality it’s the other way around. It looks like your “split-shared” is the one with the security flaws.
It’s actually the PCI-DSS Compliance standards that say you cant do ecommerce in shared hosting, not ‘Crucial’. If you dont store credit card information then you’re really just pushing off to Paypal or some other service and that’s a different story.
Simple Helix, do you host your company website in shared hosting? How many clients share access to your server?
SuPHP solves almost all of php security flaws, as each web process works like a container for each users in the system, which is the way it should have been all along.
Anytime you see statements that some modules solves ALL of security you should really look hard at the source. The only thing that SuPHP/Exec guarantees is an additional module code base for exploits to be found in.
Most companies now a days are in fact on suPHP/suExec such as hostgator/hostmonster/godaddy etc.. etc...ours included...and there is a pretty good reason why almost no one have adapted the split-shared practice because realistically, as it is really not that beneficial for the hoster nor the customer when you get even more security and performance out of a good shared hosting setup.
This has nothing to do with Crucial’s Split-Shared hosting environments. We have over 60 Split-Shared hosting environments. Many of these run on a variety of hosting configurations, including SuPHP/Exec.
Do you know what Split-Shared hosting is? If not, why comment? Split-Shared is about Client Isolation and guaranteed performace and service levels. It has nothing to do with anything you are talking about. To be blunt, you sound ignorant.
Split-Shared hosting environments are limited to 25 clients per environment and each environment is guaranteed a certain quality of service through Parallels Virtualization technology. As a Parallels Gold Partner, Crucial leverages this technology to produce isololated, dynamically scalable hosting solutions.
How many clients do you have to put on your dual 3.0GB ,16GB RAM server? You see, we have a few of these servers, so I know the cost - so, let’s do some math.
Let’s say the server costs a cool $1K a month - that’s fully cost factored including licences’, etc.
You have a average shared hosting cost of $15.00/mo ($10pkg and $20pkg == $15avg)
$1000/$15 == 67 clients
But, you like to make a profit too - so, you have to get $2000 for that server at a minimum - this is if you dont pay things like insurance, taxes, etc...that’s up to you.
$2000/$15 == 134 clients
So, even with a small marginal profit you need about 150 clients per hosting environment, right?
So, you have a server where 150 clients must all compete for resources. That’s 150 clients that you must protect from each other. We all know it only takes a single problem client to cause issues for an entire hosting environment regardless whether that is security or resource abuse.
Contrast this to Crucial where Parallels Virtualization technology isolates clients to smaller, more manageable groups of 25 clients per environment. Yes, there is still resource and security sharing, but Crucial clients have a far smaller pool of clients that they must share with.
Parallels Virtualization also allows us to dynamically scale our hosting environments - Does a container need more disk space, not a problem. Need to tripple the RAM / CPU for a few days to get through a DIGG, no worries. Ask yourself how you would deal with such a situation.
And I think it’d be nice if you can just rephrase your statements about shared hosting and actually respect those companies who knows how to secure their servers, because quite frankly speaking, I’m pretty sure you have offended many other companies out there by that statement let alone a incorrect statement at that as well.
Quite frankly, I dont care. I didnt make the rules - VISA and Mastercard did - and if you are going to accept those cards you need to accept their rules. It’s called PCI Compliance and I suggest you spend some time with Google before continuing to spout off about which things you are so ignorant of.
You’d expect all shared hosting to go out of business if it were true, and you might want to second guess why no one have adapted the practice of split-shared hosting.
You’re right, I do expect many in shared hosting to go out of business. However, Split-Shared hosting has nothing to do with that. The fact is that Split-Shared hosting continues to be adopted by those whom can support it. I believe it’s been called other names as well ‘Grid Service’ and [DV].
