I use Symphony CMS for almost all of my sites, and for my client sites as well. Here are a few tips I’ve found help to make your sites more secure, and ease development.
There are a few simple things I change on my sites that you should probably think about:
If you’re unfamiliar with how permissions work on UNIX, here’s an oversimplified breakdown:
The default Symphony install uses a permission mask of
775 for both directories and files created within the
workspace directory. A permissions mask is composed of three discrete parts:
So Symphony’s default permissions of
775 for both directories and files means:
Depending on your web host, this default might actually stop your site from working entirely — at the least it’s a pretty insecure mask to use out of the box. The absolute bottom line is that on a public web site, you should never grant any permissions unless they are absolutely necessary.
The directory permissions are (in most cases) completely OK. But the file permissions are not OK at all — you do not under nearly any circumstances want files within your
workspace to be executable — not even by you. Leaving files executable within this directory leaves you open to somebody gaining access to your install and uploading a script or binary executable - if you remove the executable bit from all uploaded files, there’s little chance someone can use uploaded files to do anything malicious to your site.
I always set my file permissions to be
664, and my
775 for directories when setting up a new Symphony install.
If you know that your site will be run as a discrete user on your server, you could even consider removing write privileges for group as well - this is as simple as
755 for groups, and
644 for users. This might interfere with local development (depending on how your local install is setup), so I generally don’t change this.