From testing to live site

rober · 09.09.2004, 05:04

ok, this could be tricky in explaining but I will give it my best.

When transferring a test site to a live site on a server, chmod access is normally transferred (on *nix anyway) as well but.... When someone who does not have that "root" access FTP's that test site down to thier computer and then transfers it back to the server (or another) in the "Live" area.... I have to assume access rights to all directories are now 777, would this be correct?

Because if it is.... I see this as becoming a major security problem for people who are doing the transfer just as I explained. (or tried to)

I have read several posts within the forums of people asking how to transfer thier files to a live site after the testing phase was completed and this is what got me thinking about this.

I am assuming that Mambo will not automatically correct the permissions on the directories once the files are in place, I don't see how it could without individual htaccess files, so what can we provide the people (guidance or written instructions) who are testing mambo in one place and then transferring the files to a live site elsewhere to ensure that permissions are set correctly?

Has this ever been brought up? I am curious...

jascha · 09.09.2004, 07:12

I was working on a script in the past to check the permissions on a Mambo install. Such as the one when installing Mambo, but more indepth. So that is an option for those that know PHP and are bored.

As far as the question about transfering a test site to the production server. It would deped what means people are using to transfer the site. I will assume people are using a *nix based server (Linux, BSD, etc.). Since I am unsure why they wouldn't be

. So if you are say, using a Fedora test server and Fedora production server you could use scp with the -p switch in order to preserve the test servers permissions.

Or use something like wget to transfer the site.

One other option is to tar the entire site with the -p switch to prerserve the permissions.

If someone is using a GUI FTP or SCP/SFTP client then they would need to read the documentation to preserve the directory permissions. Or overcome what I refer to as 'command-lineaphobia'.

For those who feel the need to use a Windows server. . . to preserve the NTFS permissions you can use something like NTBACKUP to get the job done. Here is a good tutorial on the subject for those interested.

You could use many other methods for *nix and Windows just comes down to personal preference.

-Jascha

rober · 09.09.2004, 08:06

Quote:

Originally Posted by jascha

For those who feel the need to use a Windows server. . . to preserve the NTFS permissions you can use something like NTBACKUP to get the job done. Here is a good tutorial on the subject for those interested.

-Jascha

w i n d o w s?

Egad.... how horrible the thought...

I have heard people were downloading sites using ftp lite and then reloading them on other servers. I looked over doing a manual install and found permission guidelines for the core directories, but... not much on mods/components which would be the method of attack in my opinion.

The script you mentioned is a great idea as it could be used anytime to reverify integrity of the mos directories after each mod/component upgrade etc. Nice security thought there

Imagine something like that built into the Mambo core..... hmmmm, food for thought

jascha · 09.09.2004, 09:09

Well. . .people should realize by now if they are hosting on Windows that Mambo permissions is the last of their worries.

I had made the suggestion for the permission checking along with IP blacklisting and a few other things a long time ago on the main site. But little was said about it, so I am unsure if any of them were implemented.

-Jascha

rober · 09.09.2004, 18:31

True point about the windows servers (yuck, icky pooey) and that other word, IIS (EEEEEEEEEEEK)

You said you mentioned it to the development team awhile back but nothing came of it, perhaps if we develop enough interest here in mambers we can approach the core team again with the idea.

Security if not taken seriously, makes for a worthless CMS. And Mambo is far from worthless.