Jump to content
sudodo

"/site/config.php must be writable" < only works with permissions set to 777

Recommended Posts


777 seems excessive - is there something that I'm missing here?

This is a print out of the /site content;

```
total 28
drwxrwxr-x 6 geot geot 4096 Sep  9 13:30 .
drwxrwxr-x 8 geot geot 4096 Sep  9 13:17 ..
drwxrwxr-x 2 geot geot 4096 Sep  6 10:10 assets
-rwxrwxrwx 1 geot geot 1548 Sep  6 10:10 config.php
drwxrwxr-x 3 geot geot 4096 Sep  6 10:10 install
drwxrwxr-x 2 geot geot 4096 Sep  6 10:10 modules
drwxrwxr-x 5 geot geot 4096 Sep  6 10:10 templates
```

I'm sure that I shouldn't have to have permissions so high, but I'm pretty new
to this.


Here's a shot of the setup that I'm currently going through;


http://imgur.com/a/WkhAX


You can see that the error (for site/config.php) is no longer there with these
permissions, but they still 'feel' wrong.

Thanks
 

Share this post


Link to post
Share on other sites

@szabesz thanks - i'm still not sure though. Because the permissions are not related to user or group it's the 'other' it that makes the difference to me. 

 

So If i have permissions set to 

 

chmod 006 config.php

 

It works alright, but this isn't what it should be i think

 

thanks

Share this post


Link to post
Share on other sites
8 minutes ago, sudodo said:

chmod 006 config.php

You mean 600, right? If so, that should be considered to be secure. If others than the owner can manage to write files set to 600 [rw-------], then it does not matter too much if it is 400 or 600, I suppose.

Share this post


Link to post
Share on other sites
23 minutes ago, szabesz said:

You mean 600, right? If so, that should be considered to be secure. If others than the owner can manage to write files set to 600 [rw-------], then it does not matter too much if it is 400 or 600, I suppose.

No 006 ! :P

I'm not sure why it's working this this though

Share this post


Link to post
Share on other sites

I see. So you gave r/w permission to "other", in other words to anybody, so probably that is why it does not complain.

Share this post


Link to post
Share on other sites
2 minutes ago, szabesz said:

I see. So you gave r/w permission to "other", in other words to anybody, so probably that is why it does not complain.

yes - but if i set permissions to 660 it doesn't work 

 

  •  /site/config.php must be writable. Please adjust the server permissions before continuing.

Share this post


Link to post
Share on other sites

During the installation process ProcessWire needs write access, however, after you have installed PW, it is time to be more strict, and remove as much permission as you can on the server in question.

http://processwire.com/docs/security/file-permissions/#securing-writable-directories-and-files

"If the installer populates 777 and 666 permissions, this translates to directories and files that are readable and writable to everyone, which is not a good scenario in shared environments. But without knowing more about the hosting environment, they may be the only permissions that we know for certain will enable ProcessWire to run. In either case, please read on for more details. In most cases you can further lock down these permissions with a little more information."

  • Like 3

Share this post


Link to post
Share on other sites

Ownership appears to be user geot and group geot.  Apache normally runs under another user account like
 'apache' or 'http'.  If you change ownership of config.php to the apache user, you won't need to use the insecure settings allowing anyone to modify the file.

By the way, using chmod 006 doesn't make a lot of sense, you're saying the owner and group of the file won't have access, only some other user.

 

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By usualCommission
      Hey all. I'm having an issue with the new custom page classes feature which is a fantastic tool.
      I am running into a recursion issue when attempting to call a custom page class. I have a class called BlogPostPage.php (for blog-post.php) which contains a method called getSummary(). That method gets a summary field or truncates the body in it's absence. I've attached photos of the template code, custom page class code (which I've simplified for testing), and the PW output error.
      There is no recursion in the getSummary() method. This error occurs whether I output multiple blog posts in a loop or if I output one blog post with no looping in my template code.

      In use:
      ProcessWire 3.0.164 dev
      PHP 7.3.13

      I am also using the Template Engine Twig module which has not caused any errors or issues thus far.
      Many thanks!



    • By snck
      Hey there,
      for a client website I need to implement a "reviewer" role. "Reviewers" should be able to review new (unpublished) articles to give feedback to editors, but not have the permission to change them. 
      I built a new "reviewer" role that only has page-view permissions for the respective templates, but this permission does not include viewing unpublished pages. How can I grant them access to the unpublished articles without giving them page-edit permission?
      Cheers,
      Flo
    • By neonwired
      I'm hoping someone has seen this before. There doesn't appear to be an issue with the user info.

       

    • By snck
      Hey,
      I want my editors to be able to use the page lister, especially the bookmarks. I added the page-lister permission to the editor role, but Page lister ("Find" menu item) does not show. Is there anything else I have to do? Links to bookmarks work for the editors, but I would be glad to show them the menu item as well.
      Maybe this has something to do with the long history of the site (started with ProcessWire 2.4 and upgraded to 3.0.148 over the years)?
      Thanks,
      Flo 
    • By Peter Knight
      Hi all
      My .htaccess file is correctly redirecting all requests to
      https:// www. That's great until I want to work locally.
      I thought I had seen a blog post by Ryan where there was a new config setting to ignore both of these if working from localhost?
      I can't find it now so wondering if I was imagining 😕
       
       
×
×
  • Create New...