Forum Moderators: phranque
We were discussing CMS over here,
[webmasterworld.com...]
but some are over-kill for simple purposes and way too complicated for what they're needed for.
Right now .htaccess isn't writeable by the application so it isn't "taking". It says 666 in the documentation, but that seems to make it universally writeable. What's the proper permissions so I can edit the filoe by hand and so the application can write to the htaccess file, without creating a security hole?
Basically, the digits are ordered left to right as owner, group, and public (or "world").
Each digit is a composite number made up of the sum of a digit worth 4, a digit worth 2 and a digit worth one. If all digits are present (termed "set"), then you get a 7 as the sum. If none are set, you get a sum of zero. The digit values of 4, 2, and 1 have the following meanings:
4 = read
2 = write
1 = execute
Given all of that, a permissions value of 644 means that the owner can read and write, the group (as defined by you in your password setup) can read it, and the world can read it.
Now that that explanation is taken care of, all I can tell you is that various server configurations and script installations require different values to allow scripts to write to other files, and all you can really do is experiment.
The security of your server depends on many things, but the main weaknesses are usually in FTP and in scripts that allow intruders to add code (say in a forum page) that 'breaks out' of the script and executes system functions. This is one reason that some characters are modified when posting on a board like ours. As such, having your .htaccess writable by a script is not a problem as long as the other security vulnerabilities are buttoned down tight. Don't allow anonymous FTP, guard your passwords, and make sure that any off-the-shelf scripts you're using have all current patches and are not being discussed on forums that focus on security problems.
Jim
