Why do you require FTP or FTPS

edited December 2011 in Feature Requests
I think this is a serious flaw in the current design of your distribution system. this puts our credentials in the hands of your web site instead of the norm method of having your software on my site calling out to your site (polling to get the latest updates). You shouldn't have access to our site so you can send us updates.

I went through the process of the installing this software and when it asks for the FTP credentials keyed it in thinking because I was using localhost it would be okay, but then I realized from your comment about why you need it that this was being sent across the internet to your web site and I don't even want you to have this information.

The program install doesn't proceed any further at this point (since I don't have FTP or even FTPS set up I guess).

Once I realized this problem, I had to change my password wherever it's used just to fee comfortable again.

Can you supply me with a way to get past this point in the install without the FTP access being required? I will manually update from this point until you can work out a different method of allowing my server to request updates instead of you sending me updates using FTP or FTPS.

Thanks

Comments

  • edited December 2011
    Hello edumont,

    Allow me to clarify this a bit for you, I do understand your concern however.

    We ask for your FTP credentials if and only if you install of CumulusClips doesn't have access to write to the filesystem. If your permissions are set to allow this (and most web hosts do) then you will not even see this screen during installation.


    Let's assume for a second that your install of CumulusClips can't write and we ask you for your FTP credentials. That information is stored on your server. It is NEVER transmitted or exposed to us. We don't even know if you're using FTP vs direct filesystem. When I say us I mean the CumulusClips organization or our central update system.


    When time comes to perform an update or other filesystem-based task, your personal install of CumulusClips logs into itself via FTP to perform these tasks (again never exposing or transmitting your login details).


    Additionally the process of calling-home to check for updates is not tied to your FTP credentials. We do this automatically without the need to use FTP or anything similar. Once the update is detected and you decide to proceed with it, at that point filesystem operations begin which MAY require your FTP details. Again I say may because it's only if your install of CumulusClips can't do this on it's own.


    So all in all, there is nothing for you to worry about. Your info. is always stored locally and never transmitted, shared, or exposed in any way, shape, or form.

    If you still feel uncomfortable about providing your credentials (which you similarly have to do for MySQL anyways), then a workaround would be to ensure your install of CumulusClips has write access / ownership of the files. We can work with you to show you how to do this.


    Hope this clarifies some of your doubts.
  • Thanks, will work with you to skip the ftp credentials screen
  • edited December 2011
    Ok, so to avoid using FTP during install you need to make sure the user Apache runs as on your server has write access to the files.

    If you're being asked for FTP settings this is because the CumulusClips files are owned by a user that isn't Apache. This is common if when you upload your install they files are owned by your FTP user and Apache runs as a different user. To fix this you have three options:

    =============================================
    Option 1:

    Change the owner of the files on your server to Apache, www-data, apache, and http are all common users. Ask your webhost for the definitive answer.

    Once you change the ownership of the files over to Apache, then PHP and thus your install of CumulusClips will be able to write and you won't be prompted for FTP.

    This will keep all your file permissions as: 755 for directories and 644 for files.

    *Warning: If the username used upload files manually via FTP is different from the new owner of your files, then you won't be able to upload or change files manually via FTP.


    =================================================
    Option 2:

    1) Add the Apache user to the group which currently owns all your files.
    2) Change the permissions on your files to: 775 for directories and 664 for files.

    This takes care of the warning from option 1, and you'll still be able to manually do FTP when you want. You will also no longer be prompted for FTP during install.


    ====================================================
    Option 3:


    If this is an internal project and security is not an issue you could provide write access to all users. Using cPanel, Plesk, or similar admin system grant all write privileges recursively on your cumulusclips directory.

    Or simply run this command from a shell environment:

    chmod -R 777 {YOUR_CUMULUSCLIPS_DIRECTORY}

    That will make sure your install of CumulusClips can write to the filesystem and you won't be prompted for FTP during install.

    ==============================================

    Again this is only if Apache does not have write access to your file, which all of our supported hosts, and even general web hosts as well, already do.

    Let me know how it goes.
  • Thanks for your prompt and detailed responses.

    This info should get me where I need to be to have it up and running
  • I had originally run the chmod -R 777 on the directory (option #3) but that didn't work, so I ran sudo chown -R www-data (my apache owner) and this got me passed the FTP request screen.
  • edited December 2011
    Okay perfect! So you basically went with option 1. Glad we could help, and let us know if there is anything else you need.

    Also, I know you probably moved on, but I wanted to re-iterate, just to make sure anyone else reading this is also clear.

    The update feature works as you originally desired. Your site checks for updates via an HTTP request not FTP. Your FTP only comes into play when it comes time to actually apply the update. And again that happens locally on your server, completely disconnected from us; and only happens if CumulusClips can't write to the filesystem directly.

    No login is ever passed to us. This practice is pretty standard, and is used by other CMS's such as WordPress, and Vanilla Forums for example.
This discussion has been closed.