Movabletype's loose permissions

apps

#1

I noticed that movabletype sets permissions to world writable by default. Does that mean anybody on my particular dh machine can write those files?

Also, I can strip the world writable mode from the default permissions safely on dreamhost? Does dh suid to the individual user when running web applications?

Thanks.


#2

your permissions have to be set that way so guests can comment on your site, and interact with the CGI scripts, and also so that when you visit your site via http to manage mt you can log in. If you don’t have the permissions set that way then it won’t work.

I don’t believe other users on your machine have access to even view your files.

If you are worried about security, do you have the susex and such security settings enabled in your mt.cfg file?

-Matttail


#3

susexec/cgiwrap would be configured by dreamhost. Does anybody know if they are? I have a feeling they are because I messed with some of the permissions and mt still ran fine. I ran the script mt-check.cgi and it reported:
(Probably) Running under cgiwrap or suexec

There is a way to modify the default permissions. I’ll probably do that.

I need to be very worried about security because I’m helping out on a site that is extremely political and progressive with lots of fundamentalist nuts runing around trying to shut it down. If there’s a way, there’s definitely the will to hack it.