Bizarre configure.php security warning

[zwayne]

Today I go to our oscommerce 2.x store and see the warning:

 

Warning: I am able to write to the configuration file: /home/detail7/public_html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

I immediately check the permissions and configure.php is 644, which should be fine. I change it to 444 and the warning goes away. Back to 644 and the warning reappears.

 

This is a store that has been up for at least three years. 644 has been used from the outset and the warning has never been seen until today. Weird.'

 

Any ideas?

 

(BTW, I have site monitor installed and no file changes have been detected.)

[Guest]

It sounds like your hosting provider finally updated permission settings, catching your configure.php files at 644 when in fact they SHOULD BE 444.

 

 

 

 

Chris

[germ]

I went thru the same thing when they upgraded PHP versions on the server.

 

On one version 644 was acceptable.

 

After the PHP upgrade I had to go with 444.

[MrPhil]

It all depends on whether PHP is running as "owner", in your "group", or as "other" ID. If PHP is not owner, 644 will be fine. osC is only concerned about whether its PHP code can overwrite the file. It doesn't matter who the real owner (you) is. If PHP is running as owner (e.g., suPHP is installed), you will need to have 444 permissions (read-only even to the owner).

[zwayne]

My webhost told me that no configuration changes were been made over the weekend, nor has php been updated in almost a year. They do use suPHP and have done so for years. So based on what MrPhil said, I really needed 444 all along. Why the error message started popping up only recently must remain a mystery...