Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Poll
The downloader or Magento Connet via the web interface make Magento less secure
Yes 8
No 1
Only if ... (please specify) 1
Total Votes: 10
You must be a logged-in member to vote
You opinion on magento connect
 
TBerer
Jr. Member
 
Total Posts:  4
Joined:  2009-05-26
 

Hello everyone,

I want to know you opinion on using the downloader and magento connect in a standard hosting environment. By that I mean a random PHP hosting without console access. In this thread I read that Magento Connect might be insecure.

From what I understand the downloader can leave all files with world writeable permissions. This could be a problem if someone from outside the installation can access our files. But what is about Magento itself? Let’s assume the hoster has separated the customers sufficiently. Now imagine a basic setup as described in the Magento installation guide. As the time goes by the user installs a couple of updated and also extensions via Magento Connect. I there anything special to be afraid of here?

Besides the downloader etc. I find this post by J.T. contains several good points. Additional advices are of course welcome.

Thanks

Thomas

 
Magento Community Magento Community
Magento Community
Magento Community
 
JLHC
Mentor
 
Avatar
Total Posts:  1287
Joined:  2008-05-09
Tampa, FL
 

Magento Connect only requires world writable permissions (777) if your hosting provider is running on a non-suPHP/suEXEC environment.

If your hosting provider is running suPHP/suEXEC, you will not need to worry at all as all files are set to 644 and all directories to 755, while Magento Connect and all other features are still working fine. Under suPHP/suEXEC environment, the file permissions 666, 777, etc which are security risks are not needed at all.

 
Magento Community Magento Community
Magento Community
Magento Community
 
TBerer
Jr. Member
 
Total Posts:  4
Joined:  2009-05-26
 

Thanks for your answer JLHC. So suEXEC or suPHP looks like a good thing regarding the separation of installations / customers on a host. Because it removes the need to have everything world writeable. And I guess some other security improvements.

Apart from the separation of installations would the world writeable modes (777 / 666) be a security problem within Magento? Has such a Magento installation more vulnerabilities? I would assume that PHP or the webserserver have write permissions to every file anyway.

 
Magento Community Magento Community
Magento Community
Magento Community
 
JLHC
Mentor
 
Avatar
Total Posts:  1287
Joined:  2008-05-09
Tampa, FL
 

Yes world writable permissions like 666 and 777 will pose your store to greater venerabilities as they are world writable.
It is never recommended to use these file permissions which is why it is recommended to go with a hosting provider which is on suEXEC environment.

 
Magento Community Magento Community
Magento Community
Magento Community
 
TBerer
Jr. Member
 
Total Posts:  4
Joined:  2009-05-26
 
JLHC - 02 October 2009 12:44 AM

Magento Connect only requires world writable permissions (777) if your hosting provider is running on a non-suPHP/suEXEC environment.

If your hosting provider is running suPHP/suEXEC, you will not need to worry at all as all files are set to 644 and all directories to 755, while Magento Connect and all other features are still working fine. Under suPHP/suEXEC environment, the file permissions 666, 777, etc which are security risks are not needed at all.

I understand your general recommendation to use suEXEC or suPHP. I also checked this on our development server which does not run suEXEC or suPHP. The Magento files are not world writeable but owned by the user who also runs the apache httpd. The Magento Downloader works without problems. But it looks as if the downloader creates at least some files with world writeable modes. Any way this does not completely answer my original question. I still would say that any exploit inside a Magento Installation will be able to overwrite any code. Beeing world writeable or not.

So back to the main question: What implications does the downloader bring regarding securing a Magento installation? Is the Downloader okay for a productive Installation or not?

 
Magento Community Magento Community
Magento Community
Magento Community
 
shaun
Member
 
Avatar
Total Posts:  39
Joined:  2007-11-09
Todmorden, UK
 

When did this get fixed?

The bug tracking report I raised at http://www.magentocommerce.com/bug-tracking/issue?issue=1780 no longer exists but since Downloader first existed it’s set permissions to 777 on suPHP enabled systems causing Error 500s. I wasn’t aware it had been fixed.

I get support issues from my customers to this day related to Downloader setting the wrong permissions.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Michae1
Enthusiast
 
Total Posts:  826
Joined:  2007-08-31
 

The next version of Magento Connect Manager (downloader) will allow to specify custom permissions to be set on files and folders.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top