Zhimeng cms directory permission Security Configuration Tutorial (iis/apache/windows/linux)

.. /"Site Superior Directory"
If you want to use the background directory-related features, you need to have permissions to list directories//0444

/"Site root directory"
Need to execute and read permissions if you want to create files and directories under the root directory, write permissions are required//0755

/install "Installer Directory"
Need to have execute and Read permission//recommend installation completed after deletion or renaming//0555

/dede "Background Program directory"
Need to have execute permission and Read permission//recommend to modify the directory name after installation is complete//0755

/include "Main program directory"
Write, execute, and Read permissions are required//0755//recommended to remove Write permissions and modify permissions after the first installation (when rewriting the configuration file to temporarily open write and modify permissions)//0555

/member "Member catalogue"
Need to perform read and permissions//recommend removing write permissions and modifying permissions//0555

/plus "Plugin Directory"
Permission to read, write, and execute//recommend removing write permissions and modifying permissions after the site map and RSS files have been generated//0755

/data "Site cache data, etc. files"

Need to have read permission and write Modify permission//recommend remove execution Permissions//0755

/sessions
Read, write, modify, and Execute permissions//suggestions are required: 0777
/html "HTML Document default directory"
Need to have read modification and create permissions//recommend removing execution permissions//0666
/templets "Template Catalog"
Read Modify Write permission required/recommended Remove EXECUTE permission//0666
/uploads "Attachment Directory"
Write Read permission required//recommended Remove execution Permissions//0666

/company "Enterprise Yellow Pages Program directory"
Read and Execute permissions required//recommended to remove Write permissions//0555

/special "topic Document Catalogue"
Need to execute, read, write, and Modify permissions//0755

/book "Library Module program Directory"
Need to execute, read, write, and Modify permissions//0755

/ask "Question and Answer module program directory"
Need to execute and Read permissions//recommend removing Write permissions//0555

/group "Circle Module Program Directory"
Need to execute and Read permissions//recommend removing Write permissions//0555

The following is a detailed introduction to the official Website Directory Security Configuration Tutorial

1, directory Permissions
We do not recommend the user to set the column directory in the root directory, because this security settings will be very troublesome, by default, after the installation is complete, the directory settings are as follows:
(1) data, templets, uploads, a or 5.3 HTML directory, set to read-write, not enforceable permissions;
(2) Do not need a special topic, it is recommended to delete the special directory, you need to be able to generate HTML, delete the special/index.php and then set this directory to be read-write, not enforceable permissions;
(3) Include, member, plus, admin directory set to executable script, readable, but not writable (with add-on modules installed, book, ask, company, group directory is also set).

2, other need to pay attention to problems
(1) Although the install directory has been strictly dealt with, but for the sake of security, we still recommend that it be deleted;
(2) Do not use the site directly to the MySQL root user permissions, to each site to set up a separate MySQL user account, permission is:

code is as follows	copy code
select, INSERT , UPDATE, DELETE Create, DROP, INDEX, ALTER, create temporary TABLES

Because Dede does not use stored procedures anywhere, it is important to disable file, execute, and so on to execute stored procedures or file operations.

3, how to set the directory permissions?
For users who will use Linux, I believe most of them already know these things, IIS users, please look at the following figure:
(1) Set the directory to read-only
Replication Permissions


Set to read-only


(2) The Set directory does not allow execution

Also note that the problem is that both IIS and Apache do not include. PHP and. inc files in MIME, so the system will prevent downloading of these files.

Report:
1.Apache Site security Settings
If you are Windows2003, you can do the following for Apache:
1.1. Create an account within the local user and group in Computer Management, such as: Dedeapache, password set to DEDEAPACHEPWD, join Guests group (if there is a problem, you can give user permission);

1.2. Open-> Administration Tool-> Local Security policy, select "Log on as service" in "User Rights Assignment", add Dedeapache user;

1.3. Computer Management to select Services, find apache2.2, first stop the service, right click the-> attribute, select login, switch the radio box from the local System account to this account, and then find the choice of Dedeapache, enter the password dedeapachepwd, Then click OK (this time Apache can not start normally, the general situation will certainly be the error: Apache2.2 service due to 1 (0x1) Services error and stop. ）；

1.4. To give the Apache installation directory (such as: d:/apache2.2) and the Web directory (such as d:/wwwroot) Dedeapache account read and Write permissions, remove the root directory of each disk except Administror and system of all permissions, To give the Dedeapache installation directory the disk root directory where the Apache account has read column directory permissions

We can add the following content in the site configuration:

The code is as follows

Copy Code

<directory "D:dedecmswwwuploads" > <filesmatch ". php" > Order Allow,deny Deny from all </FilesMatch> </Directory> <directory "D:dedecmswwwdata" > <filesmatch ". php" > Order Allow,deny Deny from all </FilesMatch> </Directory> <directory "D:dedecmswwwtemplets" > <filesmatch ". php" > Order Allow,deny Deny from all </FilesMatch> </Directory> <directory "D:DEDECMSWWWA" > <filesmatch ". php" > Order Allow,deny Deny from all </FilesMatch> </Directory>

This corresponds to canceling the script execution permissions for the corresponding directory.

2.data Directory path Change
In addition, in Dedecms V5.7 users can also set the data directory to the previous level of non-Web Access directory, the basic operation is as follows:
2.1. Move the data directory to the previous level, where you can cut the past directly;
2.2. Configure Dededata files in include/common.inc.php

The code is as follows	Copy Code
Define (' Dededata ', dederoot. /data '); Can be changed into classes such as: Define (' Dededata ', dederoot. /.. /.. /data ');

DEDECMS official website does not write the permission configuration in Linux below let's introduce

First, directory permissions settings
The Web server is running a user that must be different from the directory owner user, for example, if Apache is running the WWW, then the owner of the Site directory setting should not be set to WWW, instead of setting up users, such as CentOS, who are not www.
Here we assume that the Web server is running as a WWW user and that the site is assigned a centos,dedecms site root as/home/centos/web.
Users are not advised to set the column directory in the root directory, because this security settings will be very troublesome, in the default, the installation is completed, the directory settings are as follows:
1, first set the site directory owner for CentOS, the user group for WWW, the directory set to 750, the file is 640.

The code is as follows	Copy Code
Cd/home/centos Chown-r centos.www Web Find Web-type d-exec chmod 750 {}; Find Web-not-type d-exec chmod 640 {};

2, data, templets, uploads, a images directory, set to read and write, can not execute the permissions;
To set up read-Write permissions:

The code is as follows	Copy Code
Cd/home/centos/web Chmod-r 770 Templets uploads a images

Second, set the non-performing permissions:
Apache settings, add the following code to the Apache configuration file (in the case of the uploads directory, the other settings are basically the same).

The code is as follows	Copy Code
<Directory/home/centos/web/uploads> Php_flag engine off </Directory> <directory ~ ' ^/home/centos/web/uploads ' > <files ~ '. php ' > Order Allow,deny Deny from all </Files> </Directory> The Nginx settings are as follows: Location ~* ^/(templets|uploads|a|images)/.*. (PHP|PHP5) $ { Deny all; }

3, do not need a special topic, it is recommended to delete the special directory, you need to be able to create HTML, delete the special/index.php and then set this directory to read-write, not executable permissions, which describes how to set the read-write and not executable permissions, here is not repeated.

Third, the data directory path changes
In addition, in Dedecms V5.7 users can also set the data directory to the previous level of non-Web Access directory, the basic operation is as follows:
1. Move the data directory to the previous level, where you can cut the past directly;
2. Configure Dededata files in include/common.inc.php

The code is as follows	Copy Code
Define (' Dededata ', dederoot. /data ');

Can be changed into classes such as:

The code is as follows	Copy Code
Define (' Dededata ', dederoot. /.. /.. /data ');

3. Background settings Template Cache path

Iv. Other matters needing attention
1, although the install directory has been strictly dealt with, but for the sake of security, we still recommend that it be deleted;
2, do not use the Web site directly with the MySQL root user permissions, to each site to set up a separate MySQL user account, permission is:
SELECT, INSERT, UPDATE, Delete,create, DROP, INDEX, ALTER, CREATE temporary TABLES
Because Dede does not use stored procedures anywhere, it is important to disable file, execute, and so on to execute stored procedures or file operations.
Suppose we set up the database named Centosmysql, the database user is centosmysql, the password is 123456, the specific setting command is as follows:

The code is as follows	Copy Code
Mysql-uroot-p Mysql>grant select,insert,update,delete,create,drop,index,alter,create Temporary TABLES on centossql.* to Centossql@localhost identified by 123456; Mysql>flush privileges; Mysql>exit

3, change the default management directory Dede, changed to not easy to be guessed good.
4, pay attention to the background update notice, check whether the latest Dedecms patch.
5, log in to the background when using a browser to prevent JavaScript login.