How did you secure your Yii App in production mode?

Andreas123 · June 25, 2011, 7:29pm

Of course I turned off the debug mode.

However I can still access files such as myApp.com/protected/data/auth.txt and so on…

Did I forget something?

Thx

tri · June 25, 2011, 7:44pm

You should not be able to access that file from the web if the htaccess file is present in the myApp.com/protected/ directory.


deny from all

(Server config may affect this but, I think, not silently.)

jacmoe · June 25, 2011, 7:47pm

755 for all scripts (php) - 644 for html and txt, etc.

777 for assets and protected/runtime.

That should secure it - along with the htaccess Tri mentioned.

boaz · June 25, 2011, 9:07pm

There’s no need to 755 on all dirs/scripts and 777 on assets. Its too permissive.

On a decently secured system you’ll probably want to have the web server write permission only in those directories that need writing by it (/assets, for example) but not to the rest. The rest of the directories will only need ‘x’ (for ‘cd’ into) and ‘r’ for listing files in them. Needless to say, we’re talking *nix here right?..

As for files, those need writing by the web server will need to be set as writable for the web server user. No need for the rest of the users on the system to be able to write to it, and in fact, to even read it (meaning, for example, any user on the system could examine the application log file). The rest of the files, meaning those only need to be read by the web server, such as all the PHP files, they only need read permissions. No need for ‘execution’ permissions as that applies to command line execution, not execution by the web server. Of course, if you need command line execution (yiic?), you will want that to be marked as ‘x’ - but for the appropriate user only as well.

Gee, that deserves a nice wiki article. is there one? if not, whenever I’ll get to Yii publishing arena I could write it myself (still learning Yii and not yet needed to implement publishing mechanisms).

Andreas123 · June 25, 2011, 11:54pm

Boaz:

There’s no need to 755 on all dirs/scripts and 777 on assets. Its too permissive.

On a decently secured system you’ll probably want to have the web server write permission only in those directories that need writing by it (/assets, for example) but not to the rest. The rest of the directories will only need ‘x’ (for ‘cd’ into) and ‘r’ for listing files in them. Needless to say, we’re talking *nix here right?..

As for files, those need writing by the web server will need to be set as writable for the web server user. No need for the rest of the users on the system to be able to write to it, and in fact, to even read it (meaning, for example, any user on the system could examine the application log file). The rest of the files, meaning those only need to be read by the web server, such as all the PHP files, they only need read permissions. No need for ‘execution’ permissions as that applies to command line execution, not execution by the web server. Of course, if you need command line execution (yiic?), you will want that to be marked as ‘x’ - but for the appropriate user only as well.

Gee, that deserves a nice wiki article. is there one? if not, whenever I’ll get to Yii publishing arena I could write it myself (still learning Yii and not yet needed to implement publishing mechanisms).

A wiki would be a good idea!

Y11 · June 26, 2011, 12:17am

You may setup the application in a way that only index.php and any assets get exposed to the outside. Example:




components

config

models

public

   /css

   /js

   .htaccess

   index.php

runtime

Now set docroot to public directory.

mentel · June 26, 2011, 12:18am

The directories "framework" and "protected" should stay outside the public Web directory (webroot, public, public_html etc).

Also, see the guide on security.

fery · February 11, 2012, 8:09am

hi, how about the .htaccess file?

is it just deny from all?

or other?

thanks