.keep and .well-known directories

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
Niwde23
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sat Dec 15, 2018 1:15 pm

.keep and .well-known directories

Post by Niwde23 » Tue May 04, 2021 1:40 pm

After making an Akeeba backup I saw 3 warnings that were not present last time. These concern directories with .keep that are not readable. Added 4/20/21. Rights 0400. Owner/group 0 0. There also is a folder .well-known with acme-challenge that is empty. Rights 0755. Is that OK? Isn't that a hack?

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3995
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: .keep and .well-known directories

Post by abernyte » Tue May 04, 2021 3:19 pm

.keep folders are usually a developer file for Git to ensure the folder if empty is read by Git. 0400 is owner read only
.well-known is for SSH and at 0755 is readable to others but only writable by owner.
They do not appear to present any risk but only you know how the site was developed and maintained.
What we obtain too cheap, we esteem too lightly…Thomas Paine

User avatar
mjparadac
Joomla! Hero
Joomla! Hero
Posts: 2255
Joined: Mon Oct 29, 2012 3:58 pm

Re: .keep and .well-known directories

Post by mjparadac » Tue May 04, 2021 4:18 pm

I agree with the previous post, these folders do not represent security risks.

Regards,
Joomla Community Ambassador for A2 Hosting | A2 Hosting - Our speed, your success | https://www.a2hosting.com/joomla-hosting

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12085
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: .keep and .well-known directories

Post by brian » Tue May 04, 2021 9:00 pm

.well-known is used for letsencrypt ssl auto renewal- thats what the acme-challenge is for
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20314
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: .keep and .well-known directories

Post by leolam » Sun May 09, 2021 6:03 pm

brian wrote:
Tue May 04, 2021 9:00 pm
.well-known is used for letsencrypt ssl auto renewal- thats what the acme-challenge is for
It is also used as a folder when you want to verify at Namechaep and need to put a verification file into a folder e.g .well-known

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services


Post Reply

Return to “Security in Joomla! 3.x”