Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Permissions on directories and files


Perphide

Recommended Posts

When I use the file manager under the admin section, I always get a error that I must set permissions.

This is logical, otherwise I can't edit the files.

But is it really needed to set all files to 777?

Isn't that a great security risc?

Or is there another option to do this without letting all users acces the files?

Link to comment
Share on other sites

When I use the file manager under the admin section, I always get a error that I must set permissions.

This is logical, otherwise I can't edit the files.

But is it really needed to set all files to 777?

Isn't that a great security risc?

Or is there another option to do this without letting all users acces the files?

 

 

744 would be better

Link to comment
Share on other sites

When I use the file manager under the admin section, I always get a error that I must set permissions.

This is logical, otherwise I can't edit the files.

But is it really needed to set all files to 777?

Isn't that a great security risc?

Or is there another option to do this without letting all users acces the files?

 

****

pls do not use the "file manager' it's the source of all kind of problems

****

 

copy the site to your local PC, edit and upload the changes

 

additonal benefits: you will have a "local" copy in cazse something goes really wrong on the server.

"If you're working on something new, then you are necessarily an amateur."

Link to comment
Share on other sites

Ok, thats also a good idea.

But how about directories like backups under the admin directory?

It needs to have write permissions for everyone otherwise osCommerce cant write to it.

So I still need to change some permissions.

Link to comment
Share on other sites

744 would be better

 

This is my 1st experience with osCommerce, having used Miva Merchant like crazy. I have a feeling I am going to have to ask for a passel of patience - and help.

*sigh*

I am at the begining of this and all ready frustrated. I have gone into my c/panel's FTP and chmod at 744 and the bloody error message "Warning: I am able to write to the configuration file: /www/b/botavina/htdocs/osCommerce/catalog/includes/configure.php. This is a potential security risk - please set the right user permissions on this file" still won't go away. I followed one suggestion of marking the file read only on PC, which did not change the error message. I am working both PC and Mac platforms. Help?

Link to comment
Share on other sites

Post Install Permissions:

777 (catalog)/admin/backups/

777 (catalog)/admin/images/graphs/

777 (catalog)/admin/images/graphs/banner_daily-1.png

777 (catalog)/admin/images/graphs/banner_infobox-1.png

755 (catalog)/admin/includes/

644(444) (catalog)/admin/includes/configure.php

777 (catalog)/admin/tmp (file sessions)

777 (catalog)/cache/ (cache / absolute path)

755 (catalog)/download/

777 (catalog)/images/

755 (catalog)/includes/

644(444) (catalog)/includes/configure.php

777 (catalog)/pub/

777 (catalog)/temp/ (4 Easy Populate)

 

-----

Many hosters provide "Website Administration Panels" like:

PLESK, CPANEL, ENSIM, EAT etc.

For more info: Google the name :D

"If you're working on something new, then you are necessarily an amateur."

Link to comment
Share on other sites

can somebody write a new file in the 777 bacup directory without ftp acces ?

 

/admin/ and /admin/backups/ should be protected

 

you yourself can make a backup of your db by going to admin => tools => Database backup.

"If you're working on something new, then you are necessarily an amateur."

Link to comment
Share on other sites

ok thx but is it possible to hack a 777 bacup via http ?

 

PS should the bacup not be 777 for the admin thing to work ?

 

what do you not understand?

 

i posted all the post-installation chmod persmissions higher up

 

OF COURSE you have to PROTECT your ADMIN directory (login + password) by means of an website administration panel (see higher up) or by means of an .htaccess file

 

backup is a subdir of /admin/: if admin is protected, also the subdirs are protected.

"If you're working on something new, then you are necessarily an amateur."

Link to comment
Share on other sites

  • 2 weeks later...

he he!

 

if you have ssh and ftp, you're way ahead of the cpanel crowd! however you need to learn a few unix commands.

 

chmod 777 = everyone can do anything. NOT SECURE!

i'm guessing for the backups - you should set the files to 644 at most.

(that is Owner r/w, Group r/w, Everyone - r only.) Note the directory needs to be executable if you want to read the files in it....

 

if you have a typical isp, you will find that the owner for your web service, ftp, ssh and all else is the same user. Thus any permission that allows you to read or write to the file will allow php users to read and write the file. (php if installed as an Apache module runs as the user that apache runs as), thus - you can't use a permission on

 

what i prefer to do - is place backup and config files outside of the server root. That way - apache won't allow access to these files ever, however php can - as long as the files are not locked to the apache user.

 

example directory:

 

/var/wwwfiles/public/index.html <- the page you see when you visit www.mysite.com

/var/wwwfiles/private/backups <- files that php can write to, and i can grab by ftp.

/var/wwwfiles/secure <- my secure (https:// directory)

/var/wwwfiles/cgi-bin <- perl script and other cgi executables.

 

otherwise if you are using:

var/wwwfiles/public/backups then you should install a .htpasswd file (there are some other posts on this forum how to do that) and secure the directory that way.

 

hope that's helpful.

ken

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...