October: Wizard installer default file and folder permissions

There's a second part to this issue as well, see screenshot:

It's says the following:

Important!
For security reasons you should delete the installation files, the install.php script and the install_files directory.

It should also mention to delete the file: .gitignore which comes with the package, adding hidden files to the root and not blocking them, I can inject code into that file quite easily!

@ayumi-cloud I could be wrong, but I think they default to 777 for maximum compatibility, even on servers that are setup so poorly that anything else could cause it to break. @daftspunk care to comment on this one?

Interesting will wait to see what @daftspunk says.

It would be nice to have a default on localhost automatically set to the above mentioned file permissions etc.

p.s. the second comment, I have created a pull request to fix that concern, found here: https://github.com/octobercms/install/pull/101

@LukeTowers I think it might be better to default it to 755 and 644 anyways, with a note saying that if permission issues occur, then use 777 and 666, but also explain the risks involved. That way, we're not pushing unsafe values by default.

@ayumi-cloud I'm not quite sure what vulnerability you are referring to with the .gitignore file though. It's only used by Git, and it's supposed to be there to stop people from uploading sensitive data and temporary files to their Git repositories.

@bennothommo

I will quickly give an overview (but not bore you).

.gitignore files are being used to store and distribute the Shade and other ransomware.

The golden rule is to delete any hidden files that you are not using!

The reason hidden files and folders are so great for hackers is because webmasters and developers tend to not check on them periodically!

The other thing is that currently October doesn't block external access to them. But not to fear as we have coded a block solution in our security module.

Here is our goals for that issue:

1. After installation is complete, the user be _TOLD_ to delete all the install files (this point is what we need the admins to action right now - please).

2. Our file scanning software, will auto-delete these files anyway (user needs to turn this option on as by default it's off to allow a fresh website to be created).

3. Our security module will block these file extensions from external access (by default).

This way, we have completely patched this potential issue with a ransomware attack and spread.

Hope that makes sense and gives a brief overview of what we doing with that.

Hmmm, I've heard of .git folders being used for ransomware, but not .gitignore.

@ayumi-cloud for your first point there is already PR https://github.com/octobercms/install/pull/97

@Samuell1 yah we been wondering that, we did have a discussion at our company a couple of weeks ago talking about a pr that has been created already that deletes the install files etc after installation. We couldn't find the link at the time.

Could you explain why the install files are still there after installation when you install a fresh install on a localhost for example?

(sorry to write the word install way too many times in that above sentence).

[edit] Sorry need to ask another question, is your pr aimed at the command line installer or the zip file wizard installer or both?

When we extract the wizard zip file to the root, after installation the files never get deleted.

Just to share infomation, what we done in the security module is the following:

1. We block external access to .gitignore file extensions.

2. We have an option in the settings that when turned on will block all url requests containing install.php or install_files so if the files are there, they won't get loaded anyway.

@ayumi-cloud my pr is for wizard installer, not sure what command line installer you mean but if you mean composer then composer doesnt generate install files or folders.

@Samuell1 please can you watch this video and give us your thoughts: https://www.youtube.com/watch?v=QNJuEWQnBKs

@ayumi-cloud you showing that my PR doesnt work? or iam not sure what you mean now.

@Samuell1

I guess we are saying your pr doesn't work (sorry).

@ayumi-cloud but pr wasnt merged yet

@Samuell1

hahaha good point, I thought it was merged (I just looked at the date way back in middle of 2019 and thought it was merged, I didn't check the labels and see the blocked).

By the way, these code lines: https://github.com/octobercms/install/blob/2ba86bfe977a76415680d0d34e0034cfe997ee89/install_files/php/Installer.php#L863-L865

You could also add the .gitignore file to be deleted in that section.