jshhs Posted June 22, 2010 Posted June 22, 2010 Can anyone help me with this, I have changed all of the permissions as indicated in the documentation but I am still getting this warning message, Warning: I am able to write to the configuration file /catalog/includes/configure.php. This is a potential security risk - please set the right user permissions on this file. I have tried to change the configuration file to 444 but this setting is rejected and it reverts back to 644
chadcloman Posted June 22, 2010 Posted June 22, 2010 Perhaps you should bring this up with your website hosting company -- setting it to 444 should get rid of the error message. Check out Chad's News.
jshhs Posted June 25, 2010 Author Posted June 25, 2010 Perhaps you should bring this up with your website hosting company -- setting it to 444 should get rid of the error message.
jshhs Posted June 25, 2010 Author Posted June 25, 2010 I have contacted my hosting company and this was there reply Our file manager will never let you change a file to permissions that disallow your own access to a file (so anything below 6xx). FTP clients will also try and make the change but this will fail for the same reason (although silently, this isn't something we can change). For this reason, you cannot change files to have 444 permissions on our shared hosting cluster because you will also not have access to modify this file or change the permissions back in future at any point. Actions like this are normally only carried out on hosting platforms wherein you have root access to the server space to override the change in future (for example on a VPS or Dedicated Server). If you wish to disallow access to a file from a web browser then I recommend using a .htaccess file that displays a 403 denied message on access. I have tryed to .htaccess the directory that this file is in but it causes problems with customers logging in. Is there any other way of protecting this file.
germ Posted June 25, 2010 Posted June 25, 2010 You can turn the warning off if all else fails. At the bottom of /includes/application_top.php define('WARN_CONFIG_WRITEABLE', 'true'); Change to: define('WARN_CONFIG_WRITEABLE', 'false'); If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
jshhs Posted June 27, 2010 Author Posted June 27, 2010 Surly there must be a way to protect this file and not just hide the fact that there is a security risk
jshhs Posted June 27, 2010 Author Posted June 27, 2010 There must be a way to protect this file and not just hide the fact that there is a security risk
germ Posted June 27, 2010 Posted June 27, 2010 If it's at 644 permissions it IS protected. If you don't like it what's going on with your site - switch hosts. >_< If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
MrPhil Posted June 27, 2010 Posted June 27, 2010 Your host is feeding you a line of crap. 444 permissions still grant you the ability to control your files -- it's 0xx that you want to avoid. If your host really won't let you change a file to 444, they have too much of a "nanny state" mentality and you should switch hosts. Many servers have been configured to ignore chmod (permission change) requests from FTP clients. If so, use your hosting service File Manager to change permissions. If you are really at 644, and getting the "I can write to your file" message, that means that Apache/PHP are running as "owner" (possibly via suPHP). You have no choice but to either disable the configure.php check or change to 444. The idea is to take away "write" ability from the executing program, so that by accident or by hack it can't overwrite that critical file. Some systems are configured so that Apache/PHP run in your "group" or even as "world/other". In such systems, 644 is adequate, as group and world have read-only permissions. Note that some files and directories are required to be writable by osC, and need write access granted to the appropriate party: 644/755 (the default) if running as owner, 664/775 if running in group, or (temporarily only) 666/777 if running as world. My sig > FAQs discusses many of these concepts under "Proper Permissions".
jshhs Posted June 27, 2010 Author Posted June 27, 2010 Thank I will contact hosting company again and see what Apache/PHP are running at and if they will change it
MrPhil Posted June 27, 2010 Posted June 27, 2010 I doubt they'll change the way Apache and PHP are set up, just to please one customer. You can certainly find out if either is running as owner, in your group, or as world; and adjust your permissions to suit. I think that PHP is the important one, although usually both Apache (server) and PHP seem to run the same way.
jhande Posted June 27, 2010 Posted June 27, 2010 Personally John I would switch host. There's too many out there that are setup correctly that you won't have any problems. I am using a rather inexpensive host on a shared server and have never had any problems. Well, not true... I have screwed things up and they corrected my mistakes with just a phone call. Good luck! - :: Jim :: - - My Toolbox ~ Adobe Web Bundle, XAMPP & WinMerge | Install ~ osC v2.3.3.4 -
michaeljayclark Posted June 30, 2010 Posted June 30, 2010 I was trying to change the permissions with my FTP through dreamweaver CS5 and was still getting the warning message able to write to configure.php I logged into my hosting provider siteground and used the cpanel securely and was able to change the permissions to 444 and eliminate the error message that was the answer to my situation, siteground blocks changes to permissions from FTP to 444.
MrPhil Posted June 30, 2010 Posted June 30, 2010 Yes, it's well known that many servers block (often silently) FTP requests to change permissions. You have to use your site hosting control panel to change permissions.
jshhs Posted July 4, 2010 Author Posted July 4, 2010 Yes, it's well known that many servers block (often silently) FTP requests to change permissions. You have to use your site hosting control panel to change permissions.
jshhs Posted July 4, 2010 Author Posted July 4, 2010 Thanks every one for your help my hosting company has now changed this for me so it will do for now I will try some of the other suggestions and if not will look at changing host Many thanks John
Recommended Posts
Archived
This topic is now archived and is closed to further replies.