Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

'is not writable' problems should I chmod 777?


Zych

Recommended Posts

Hello Everybody,

 

I have done a search and I think I know the solution but I am not sure. I have a problem with a couple of directories:

 

/catalog/images

/catalog/admin/backups

/catalog/admin/images/graphs

 

They all say 'is not writeable' in the admin screen. If I change them to all users for permissions (at least the backups directory) it works. The other messages I have found through search say to chmod it to 777. This seems to work as I said but I do not want people to have access to my backups directory. I was thinking that since the admin directory is protected it would not matter if I made the backups '777', correct? People still should not be able to access it. Am I correct in my though process?

 

Thanks,

 

Zych

Link to comment
Share on other sites

I don't really have a problem setting the permissions, I am just wondering how safe this is. Expecially the catalog/images directory. I don't want somebody to go in and change my images. I could just imagine I have a part that has a image, and somebody changes it to some porn pic. Some of my customer would have a stroke. Am I safe to change all of these directories or am I giving everybody permission to write to my directories?

 

- Zych

Link to comment
Share on other sites

I don't really have a problem setting the permissions, I am just wondering how safe this is...

Mmmm.....

 

I see this SO many times on this forum.

 

Just blindly setting file permissions to 777 (because it works) is plain stupid ! You are asking for trouble (and yes, I recognise that you are questioning this very wisdom).

 

You should set the file permissions to the very minimum you can get away with. This depends on the user that the web server is running as, the owner of the files that the web server is expected to serve, etc.

 

As a general good principle, unless you REALLY have to, the web server should not own any files at all. The reason for this is that a user can only delete a file or change the permissions of a file if that user OWNS the file. A very simplified example (don't take this too literally - it really all depends on your set up).....

 

* Say the web server is running as user 'www_u', group 'www_g'. In reality, the user and the group probably have the same name, but I have made them different here for clarity.

 

* Say you have a bunch of files that you want the web server to dish out to clients. You don't want the web server to own these files, so lets' set the owner of all our files to the user 'zych'. If we set the group of the files to 'www_g' we can then set the permissions of all the files to something like 750. This means that the owner (zych) can do anything with the files, but the web server can only read them. No other users / groups can access these files at all. Note that 750 also sets the 'x' (execute) permission which is not strictly needed (640 would be a more accurate setting), but 750 is needed for directories (otherwise you will not be able to get access to them), so it's just convenient to use this value for all the files, and in the case of php files, the extra 'x' permission doesn't really do any harm (though it could do for other types of files).

 

* Note that this does NOT set the 'global' permissions at all - the last digit is always zero.

 

* Now, for files that you need the web server to write to, use permissions of 770. Because we have set the file owner to be 'zych' then the web server may not be able to write the file (it depends on whether it already exists, etc). In this case, you might have to set the owner of the file to 'www_u', but try and avoid this if you can. You may also have to set the directory where the file lives to 770 as well (typically if the file does not already exist and/or depending on how you manipulate the file - ie - if you delete the file and re-create it from the web server). Experiment.

 

HOWEVER, I would recommend that if you can find other mechanisms for editing the files that you would otherwise update via the web server then use THAT mechanism instead (FTP / SSH or some shell script etc - depending on what the files are for). The less stuff the web server can write to the better. These are some cases where this is simply not possible though - cookie directories for example.

 

Another thing is that you should also move any sensitive files (such as config files containing database passwords !) or cookie directories to OUTSIDE of the directory tree that the web server has access to. This prevents someone just reading the file from the web browser (probably not likely with these two example, but nonetheless). It also prevents someone getting access to these files if they manage to break into the web server somehow.

 

I'll shut up now

 

Rich.

Link to comment
Share on other sites

Thanks! That was a lot to digest but it sounded just the way my thinking was going. Now I need to figure out how to modify the owner, groups, etc. The strange thing is that I have some directories that have the same owner and group that seem to work fine. I guess I got a little digging to do.

 

- Zych

Link to comment
Share on other sites

owner/groups should already be setup properly by your host.  dont try to modify those, as i dont think you have rights to do so.

If you on a shared server then yes, you won't be able to alter the owner of the file (the owner should be your user that you log-in by - you would need to be root to change this, but the existing user is probably what you want anyway so this shouldn't be a problem). You should still be able to alter the group though (depends on the OS and how the users/groups are set up).

 

As you say "some of my customers..." (zych) then I'm assuming you have full control over the server, in which case none of this should be a problem for you.

 

Failing that, then I'm afraid you are back to leaving the stable gate open and inviting all the rats in :-)

 

Rich.

Link to comment
Share on other sites

Someone has just PM'd me asking if there is a set of 'standard' permissions that can be used to secure OSC. For the possible benefit of others, here was my reply.

 

Note : I think they were referring to an MS Windows system....

 

------

 

...In which case, the normal (Unix) numeric file permissions are meaningless because MS Windows doesn't use Unix file permissions.

 

I have no idea at all when it comes to Windows - you need to ask a Windows person. Sorry - can't help.

 

For a Unix system, it very much depends on the set-up, which is why I despair when I see comments like "just set the permissions to 777". Even suggesting something more restrictive like "set the permissions to 750" is completely meaningless unless you take into account the user / group of the files being served and the user / group the web server runs as. It's system-specific.

 

So no, there isn't a standard list of settings - you need to assess your system specifically and go from there.

 

Rich

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...