I use Symphony CMS for almost all of my sites, and for my client sites as well. Here are a few tips I’ve found help to make your sites more secure, and ease development.
There are a few simple things I change on my sites that you should probably think about:
If you’re unfamiliar with how permissions work on UNIX, here’s an oversimplified breakdown:
The default Symphony install uses a permission mask of 775 for both directories and files created within the workspace directory. A permissions mask is composed of three discrete parts:
So Symphony’s default permissions of 775 for both directories and files means:
Depending on your web host, this default might actually stop your site from working entirely — at the least it’s a pretty insecure mask to use out of the box. The absolute bottom line is that on a public web site, you should never grant any permissions unless they are absolutely necessary.
The directory permissions are (in most cases) completely OK. But the file permissions are not OK at all — you do not under nearly any circumstances want files within your workspace to be executable — not even by you. Leaving files executable within this directory leaves you open to somebody gaining access to your install and uploading a script or binary executable - if you remove the executable bit from all uploaded files, there’s little chance someone can use uploaded files to do anything malicious to your site.
I always set my file permissions to be 664, and my 775 for directories when setting up a new Symphony install.
If you know that your site will be run as a discrete user on your server, you could even consider removing write privileges for group as well - this is as simple as 755 for groups, and 644 for users. This might interfere with local development (depending on how your local install is setup), so I generally don’t change this.