Gallery2:How do I secure Gallery2 - Gallery Codex
Personal tools

Gallery2:How do I secure Gallery2

From Gallery Codex

How Do I Secure Gallery2

Under Linux the Gallery2 installation secures the config.php file by using chmod 644 config.php, however this leaves the Install and Upgrade folders open to any web browser.

Even though any Internet user can browse these folders, Gallery2 doesn't let them advance any further without authenticating via the installation password, safely hidden in config.php. But if you're still paranoid about the exposure of the Install and Upgrade folders to the world you can follow these steps to hide them from public view.

Assumptions

This How-To assumes your Gallery2 installation is running on a Linux platform.

Requirements

You will need to have shell access to your installation (i.e. SSH or telnet) or an FTP client with the ability to chmod. Wherever you're instructed to type a command such as ls or chmod you will need to use the respective feature in your FTP client.

Removing Access to the Install and Upgrade Folders

Login to Your Web Site

Login to your web site and navigate to your Gallery2 folder (i.e.: cd public_html/gallery2)

View Existing Permissions

Enter ls -l and press ENTER to display a directory listing with permissions, file and group owner, timestamp, and filename. Look for these entries:

drwxr-xr-x    8 apache apache     1024 Oct 16 20:50 install
...
drwxr-xr-x    8 apache apache     1024 Oct 16 20:51 upgrade

Notice the permissions (drwxr-xr-x) assigned to the Install and Upgrade folders. This equates to chmod 755 which allows Internet users to browse the contents of the folder. Files contained in the folder may have different permissions and will not be altered.

Change the Permissions

To hide these folders from public view, enter the following commands each followed by the ENTER key:

chmod 744 install
chmod 744 upgrade

Typing ls -l should give you this:

drwxr--r--    8 apache apache     1024 Oct 16 20:51 install
...
drwxr--r--    8 apache apache     1024 Oct 16 20:51 upgrade

This won't change the permissions of files and child folders but it will make it impossible to access them.

Try browsing either folder in Firefox or Internet Explorer (i.e.: http://www.yoursite.com/gallery2/install or http://www.yoursite.com/gallery2/upgrade). You should see an error page similar to this:

Forbidden

You don't have permission to access /gallery2/install/ on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/1.3.33 Server at www.yoursite.com Port 80

With chmod 744 you'll still be able to navigate into the folders using a command shell but unable to view the contents from a web browser. You could chmod 644 but it will revoke your ability to cd into the folder until you change the permission back to 744 or 755.

WARNING: Before Performing Web-based Upgrade or Install

If you need to update your Gallery2 installation using a web browser you'll need to change the permissions back to 755.

Restoring Acccess to the Install and Upgrade Folders

Login to Your Web Site

Login to your web site and navigate to your Gallery2 folder (i.e.: cd public_html/gallery2)

Changing the Permissions

To restore these folders for public view, enter the following commands each followed by the ENTER key:

chmod 755 install
chmod 755 upgrade

You can now access these folders in your web browser to perform an upgrade or re-run the installation process.

Miscellaneous Notes

When using the chmod command don't add the -R flag. Doing so will alter permissions on all child files and folders potentially causing problems.

advertisements