Maybe it is more about server configuration issue rather than Yii’s.
With chmod 777, Yii’s assets directory is writable by everyone. The problem is, we encountered security threat. Because the directory is allowed to be written by others, there are several attempts from outsider to write a phising file in it.
Is there any way better to configure assets directory?
FYI, the website is running on a dedicated server (also runs mail server, etc.) and the phising file owner is apache (in another word, the phising file is ran by PHP script, CMIIW).
Having rights of 0777 doesn’t mean, someone from outside of your box can write to that directory.
So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.
BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0570 (r-xrwx—) and change the group ownership of assets/ to that of the webserver.
But it’s up to your sysop to come up with a reasonable permission schema for your box.
Yes, I know it from the beginning, but the administrator won’t give me a damn. Rather than fix the problem, he told me to find a way to resolve the problem by myself.
The problem is, owner of the phising file is apache itself. So the biggest possibility is attacker came from http, ran a PHP script or upload a file, then write the file to assets directory.
That’s most probably the case. One way to find the vulnerable script: You could check the creation time of that file in assets and check the webserver logs for identical timestamps. Dealing with such security break-ins is a tedious job, so good luck…
And one minor correction to my example above: The right code should be 0570 not 0670.
I’m glad to see this post but, when I set assets to 570, I get an error that the dir isn’t writable. 755 doesn’t work, only 777.
Note - I’m on my VPS with several sites on it. I also installed through a web app installer Softaculous (like Fantastico). I’m already thinking that is the issue. But this raises the question, are these sorts of installs therefore unsecured?