Folder permissions required for XenForo

rdn · November 22, 2020, 5:20pm

Is chmod 0777 really required?

I tried to chown -R admin1:admin1 *, but seems not sufficient.
Is there better way on ApisCP than 777 permission?

cheetaweb · November 22, 2020, 5:57pm

You can change the user that apache runs under to the username that you have set up for the domain, then it will run under php-fpm as adminX/adminX and you won’t need 777

rdn · November 22, 2020, 6:05pm

Oh what page on the dashboard I can do that? Thanks.

anatoli · November 22, 2020, 6:13pm

Under Web -> PHP Pools

rdn · November 22, 2020, 6:14pm

Nice, that was easy.

anatoli · November 22, 2020, 6:19pm

You can automatically assign the pool to the account admin instead of apache on account creation. Defaulting your plan’s apache,webuser => None will do that. Otherwise,

EditDomain -c apache,webuser=None

rdn · November 22, 2020, 6:20pm

Follow up question, how to make this as default on every account/domain?
On the dashboard by the way.
Thanks.

anatoli · November 22, 2020, 6:21pm

msaladna · November 22, 2020, 6:30pm

Creating a Manifest is a more secure approach to this. Running same-user negates any benefits of Fortification and makes it operate in single-user mode like cPanel/Plesk.

Web > Web Apps > Manifests > Create

Edit the manifest with,

base:
# database configuration, used for snapshots
database:
  # "mysql" or "pgsql"
  type: mysql
  # database user
  user:
  # user password - can leave blank
  password:
  # database name
  db:
  # database host
  host: localhost
  # optional prefix attached to tables
  prefix:
fortification:
  # Fortification profiles, called via webapp:fortify($hostname, $path, $type)
  max:
    - data
    - internal_data
# Populated by Web > Web Apps > Sign Manifest or webapp:sign()
signature:
# Set by manifest on sign
manifest_version:

Sign the manifest, then you can apply max fortification to the site. Whenever you need to update Xenforo, go to Web > Web Apps > Fortification > Web App Write Mode to allow write access. Filling in the database details would allow snapshots to take a copy of your database.

It’s a tradeoff between convenience and security.

On 777, it’s important to look at the visibility of others on the server. Since each user is isolated into its own filesystem slice with BoxFS other in the permission set “other” doesn’t matter much. If you have multiple users in the same group - PHP-FPM user included - then 7 in the set “group” would allow them read/write/delete access. Fortification above would open permissions only to the PHP-FPM user assuming it’s apache,webuser=None.

rdn · November 22, 2020, 6:33pm

Thanks for the detailed answer, still needs a lot of reading before I can fully understand those new terms :).

rdn · November 22, 2020, 7:17pm

Does it mean less secure only?
But the performance isn’t affected?

This doesn’t work with XF though as those folder always needs write access so avatar/attachments can be stored.

msaladna · November 22, 2020, 7:19pm

Correct

That’s the purpose of a Manifest above. It’ll always permit write-access to those named directories.