I need to have my husband David check this out ASAP:
How were they able to do this? So far I think the answer is that my webhost was running suEXEC, yet I hadn’t uncommented the Umask lines in the mt.cfg. See Enabling Security features in the MT Installation manual. Movable Type produces files with permissions set so that people other than the owner have “write” privileges. If you have Cgiwrap or suEXEC you really do need to uncomment the Umask lines in your mt.cfg file. The Umask lines will set more restrictive permissions on the Movable Type files. If you don’t know if you are running Cgiwrap or suEXEC you need to run mt-check.cgi which will tell you if you are.
I think it’s probably not a problem, but my personal tech geek will have a look at it.
hi Ginny,
I’ve updated my post. I don’t honestly know what is causing the problem and I don’t want to imply that it is a fault in MT unless I’m much more sure.
Still, the Umask settings should be set if you are running CGIwrap or suEXEC.
Hi, Elise! Gosh, I’ve implemented a lot of things around here because of your site, thank you for stopping by. David tells me that we’re not running those. I hope you’ve had no further trouble.
Hi Ginny,
suEXEC and CGIwrap give you extra protection, if you uncomment the Umask settings. Otherwise, if you don’t have suEXEC or CGIwrap you are somewhat exposed. MT generates files with 666 (everyone can read and write to the file) permissions. If you are running CGIwrap or suEXEC and you uncomment the Umask lines, the file permssions are then set to be more restrictive.
That said, I don’t know actually what is causing the problem. But I guess it helps to take whatever extra security measures you can.