Please will someone tell me what are the most secure permissions of moodle files (ideally in numbers)?
4) other moodle files
assuming that my username is in the same group as apache.
I created a user and group called moodle. Apache runs as moodle:moodle. MySQLd
runs as user mysql.
moodledata 755 moodle:moodle
moodledata/sessions 755 moodle:moodle (session files are 600 moodle)
moodle/config.php 440 daemon:moodle (daemon allows handlebounces/email to work)
(directorypermissions = 02755)
User moodle runs admin/cron.php
We start chatd by a root script that does a
su moodle -c "cd .....; php ...chatd.php [opts..]"
-- James Dugal
1.- moodledata directory and all of its contents (and subdirs, includes sessions):
owner: apache user (apache, httpd, www-data, whatever).
group: apache group (apache, httpd, www-data, whatever)
perms: 700 on directories, 600 on files.
2.- moodle directory and all of its contents and subdirs (including config.php):
perms: 755 on directories, 644 on files.
If you allow local logins, then 2.- should be:
group: apache group
perms: 750 on directories, 640 on files
Think of these permissions as the most paranoid ones. You can be secure enough with less tighter permissions, both in moodledata and moodle directories (and subdirectories).
Agree with Iñaki -- the only thing that can tighten things further is to have sessions outside of moodledata, and make sure that the directory is not executable (not listable). So someone who takes control of Apache cannot see what sessions are there -- makes it much harder to read the sessions.
Debian uses this mode for its PHP sessions directory. It's a pain because PHP cannot do its own garbage collection of sessions, but security people love it
I mentioned elsewhere that "BecomeRoot true" is being used for moodle in my strange institution. It seems to transpire that reason why this setting is being used is in order that the permissions on the files be more secure. Does that make sense? I.e. in order that group or other cannot see the files, someone here is making apache become root. Or somesuch.
Anyway, I will try the permissions above.
Permissions of 640 on files in the moodle directory seems to be too restrictive because application doesn’t work (access denied in case of Moodle 2.0). So, I decided to try it with 650 and it works. The same problem affects files in moodledata where I had to reduce permissions on files to 700.
Any idea of the reasons?
Best regards, Piotr
BTW, this thread is more than five years old! You should have started a new thread pointing to this one as a reference. True to Unix nature the content is still valid. Imagine what our neighbours in Redmond would have done, now Muglia leaving his flat to Nadella?
quoted in http://www.theregister.co.uk/2011/02/09/microsoft_satya_nadella_server_and_tools/ )
What about files Permissions on Shared Host? (assuming safemode is off)
I would like to contribute a few things...