Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

configure.php writable with chmod 444


Guest

Recommended Posts

Hello,

 

Just installed osC on a linux server,

I have chmodded both:

/catalog/includes/configure.php

/catalog/admin/includes/configure.php

i've tried 644 and 444 and 600 both using ftp and ssh. The warning that the file can still be written to is still displayed. (I have now disabled that warning in the application_top.php, but don't think that's an elegant solution.)

 

the files are chowned by the same user as apache/php, so 644 doesn't make sense - and i can't chown them to anything else (tried that but chown isn't allowed by our ssh tunnel it seems).

however 444 should be sufficient to render the file read only, so i'm perplexed why this error should continue to display. (installing on a window server and setting the file read only worked just dandy)

 

I have installed the software to /catalog and placed a soft link in the secure-public folder - We are using a shared ssl certificate that requires our secure pages be in another folder. (for now)

 

any help would be greatly appreciated.

 

-ken

Link to comment
Share on other sites

if that be the case then you need to change hosts, as the 444 allowing someone to write to the file, means that all of them are.

 

Thanks, however - i trust this host with very good reason - and know that when i do a chmod in my other scrips - that that permission is valid. I'd love to look at the code that tests the file, to have a look at how it determines that the file is writeable? that would make me feel more comfortable. If you can enlighten me as to where i'd look for the test scripting.

 

-ken

Link to comment
Share on other sites

Thanks, however - i trust this host with very good reason - and know that when i do a chmod in my other scrips - that that permission is valid. I'd love to look at the code that tests the file, to have a look at how it determines that the file is writeable? that would make me feel more comfortable. If you can enlighten me as to where i'd look for the test scripting.

 

Did my own checking.

revealed some interesting stuff - and hope this can maybe help others.

 

the function is in header.php. and i actually attempted to both append and write to the file.

// check if the configure.php file is writeable
 if (WARN_CONFIG_WRITEABLE == 'true') {
   if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable('/services/webpages/h/a/hardwaregods.net/public/catalog/includes/configure.php')) ) {
     $ken_fh = fopen('/services/webpages/h/a/hardwaregods.net/public/catalog/includes/configure.php','a') or die('can\'t open file');
     $fwrite($ken_fh, "\n // This line added by ken");
     fclose($ken_fh);
     
     $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
   }
 }

 

sure enough - my hack dies and declairs that it IS unable to open the file for writing.

the PHP manual sais that the web server may be running as user nobody - i'm not sure - and don't care to check, however - the is_writeable is not a definitive answer to wether or not the file is actually writeable. I have updated my hack as follows:

// check if the configure.php file is writeable
 if (WARN_CONFIG_WRITEABLE == 'true') {
   if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {
     if($ken_fh = fopen(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php','a')){
    	 fclose($ken_fh);
    	 $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
     }
   }
 }

which actually tries to open the file for writing, and if it succeeds - it shows the warning.

 

I have also confirmed that my webserver and files are owned by the same user - thus the file permission needs to be 444 or 400 (if you are paranoid) 644 will continue to show the warning - as php is the owner of the config file.

 

-ken

Link to comment
Share on other sites

  • 3 weeks later...

Just a tip this worked for me

 

Q: Warning: I am able to write to the configuration file: /www/u/usernamne/htdocs/osCommerce/catalog/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

A: In a new PHP file, insert the following:

 

<?php

chmod('includes/configure.php', 0444);

?>

 

save as chmod.php and upload to /catalog and /admin (just to be safe). Then access the pages in a browser ( www.domain.com/pathto/catalog/chmod.php ) and you'll be set.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...