By trinsic on
Hi so I am reading though the Securing file permissions and ownership page and its showing the owner:group as someuser:www-data. I host my site at a shared host that uses a chroot jail for each shared host and I dont think it has a www-data group. In this case I want to be able to install modules from Drupal, but I also want to make sure the directory is not writable. should I just use Drush instead of the module install page to get around this? The problem is that I run drush from my user, so if I remove write on the modules directory Drush probably wont be able to install modules. Should I create a separate group for Drush and give that write access?
Comments
With most shared hosting you
With most shared hosting you cannot create a user, and you cannot chown anything. In addition, on shared hosting the php is almost never executed by www-data. (cPanel normally uses Centos / RHEL, and you will often see the doc root has 'nobody' or 'http' or 'httpd' as the group, which is the process which owns Apache, whereas Ubuntu / Debian have Apache owned by www-data - just convention, makes no practical difference).
On shared hosting you are largely stuck with the security provided by the host, at server level. (Of course at site level, the security of your code and your update policy is in you own hands, and Wordpress security plugins, for example, can impose restrictions which make a WP site harder to hack). Between sites ('addon domains') on a single cPanel or similar account, there is really no security - which makes a Drupal site very vulnerable if it is shared with an insecure site. If you have a Wordpress site site on one of your domains be careful to keep it updated, and not to install suspect plugins. (I have been bitten this way.) Between separate shared hosting accounts on the same server, as distinct from separate sites on the same account, the webserver should not be able to write from one account to another, and generally you can trust this to work out of the box.
You can set permissions
Assuming doc root is public_html you can do:
chmod -R ugo-w public_html
chmod -R ugo+X public_html
cd public_html/sites/default
chmod -R ug+w files (assuming files is your files folder)
IMO that's about it, and probably adds nothing to the out of the box setup of the server. Between 'addon domains' the hacker could probably reverse those steps once he is in, so it does not seem to add much.
If you want shared hosting and you want more security than generic shared hosting, you probably need to pay the extra for managed hosting of the Pantheon type.
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
Ok, Thanks for your help.
Ok, Thanks for your help. When you say managed hosting you mean a dedicated server?
Look at https://pantheon.io,
Look at https://pantheon.io, https://platform.sh. There are others (Black Mesh, Acquia etc)
This is the trend in Drupal hosting, though only for cases where the site owner cares enough (for example where a business depends on the site) to pay the price; besides, as well as being locked down for security, they are pretty locked in to professional workflow, e.g. Pantheon assumes you are using willing to use git and drush, and not work directly on the live site.
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
Ok I understand the manged
Ok I understand the manged hosting service now, but Im kind of unclear about git and drush. Do you know of a guide or information on how to use git an drush together? I always used drush on the live site to update modules and what not. Sorry for the newb questions, its been awhile since i did any serious development and i mostly use live sites to do all my work. Im reading a little about this now, it seems I have been doing it the wrong way for awhile: https://www.acquia.com/blog/using-git-drush-win-workflow
There is no one right way,
There is no one right way, even among Drupal devs. Articles like the one you link are a suggestion. Having said that, if you use any version control system now it will be git. I think that unless you need to fit in with a team, it makes sense to get used to some basics of git and of drush, then work out some ways these tools can help, starting with the simplest steps and commands, and taking articles like that as suggestions for what works for some people. Your own workflow will evolve.
Pantheon is very much founded on a dev > staging > production workflow, with code deployed via the GUI, but using git in the background. It imposes one good way of working, which you can test with a Pantheon account, to see how you like it. It is not the only way, or the simplest.
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
Thank you Jonh_B. These chmod
Thank you Jonh_B. These chmod commands helped a lot securing my Drupal installs on shared hostings.