Jump to content
benbyf

config.php install warnings and permissions

Recommended Posts

HELLO ALL!

Context: I use serverpilot to setup and administrate my server patches for my hosted sites. As with many other serving companies, they write tutorials to setup software on their service. I asked them to provide a PW installation instruction and they have obliged however hitting on the following issue on installation with their default linux user:

Issue:

Quote

"When I worked through the installation, I saw the .htaccess warning also, but that resolved itself after I clicked "Check Again." The second issue was the config.php warning. I guess we were thinking the installer would go through and set the correct file and directory permissions when it asked for them, because almost nothing has the 755/644 values set:

serverpilot:~/apps/processwire/public/site$ ll
total 44
drwxrwxr-x+ 5 serverpilot serverpilot 4096 Jun 14 16:03 ./
drwxrwxr-x+ 4 serverpilot serverpilot 4096 Jun 14 16:03 ../
drwxrwxr-x+ 6 serverpilot serverpilot 4096 Jun 14 16:03 assets/ - 775
-rw-rw-r--+ 1 serverpilot serverpilot 2598 Jun 14 16:03 config.php - 664
drwxr-xr-x+ 4 serverpilot serverpilot 4096 Jun 14 16:03 modules/ - 755
drwxrwxr-x+ 5 serverpilot serverpilot 4096 May 5 17:43 templates/ - 775

serverpilot: /srv/users/serverpilot/apps/processwire/public# find . -perm -775 | wc -l
213
serverpilot: :/srv/users/serverpilot/apps/processwire/public# find . -perm -664 | wc -l
1676

We can instruct people it's safe to ignore the warning, because ServerPilot's fACL's will prevent any security issues; we just thought a more elegant solution would be to have the correct permissions set by the installer to allay any concerns people might have. If the dev team prefers not to make any changes, we of course understand."

 

Basically at the end of the installation there is a warning to secure your config file which could have been done already by the system, I believe they're saying. Is there anything we can do with this, or should i ask them to carry on with the caveat that they should but in a bit of text saying this warning is normal and can be sorted in teh follow ways etc...?

Interested in people's opinion.

Share this post


Link to post
Share on other sites

Maybe here's a bit more information about it: https://processwire.com/docs/security/file-permissions/#securing-your-site-config.php-file

Also the installer option for file/folder permissions wasn't present in earlier versions of processwire if I recall correctly(https://github.com/ryancramerdesign/ProcessWire/commit/f7c308566bebf0d39e8ec688d1e7795bf0c17f50) and it seems like it was only added to supply the values into the config.php and not to do any permission changes on installation. I think that's the confusion here: That modules/assets/templates weren't updated with the chmod setting supplied in the installer.

Making the config.php readonly by default is not something i would advice, because it can firstly brick your installation and secondly it will prevent any runtime changes to this file and there are modules out there which do write to that file.

So it would probably be nice to have the option, that the installer does also clean up any incorrect file/folder permission when installing – possibly even by default, because it'll show incorrect settings much earlier and not if the first file uploads do fail or something like that. Making the config.php readonly should still be considered a manual or at least a opt-in task.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By lenoir
      Is it possible to let people edit a page without having to have a user-role?
      My case is the following:
      Visitors fill in a form (Formbuilder) which is saved to pages. They get a confirmation email which could contain a unique editing link. In case they need to update some information, they can click on this link, edit the fields and save. 
      Am I totally off? Is there a better practice? 
    • By DV-JF
      Hi, 
      I'm using this kind of setup (https://processwire.com/blog/posts/language-access-control-and-more-special-permissions/#language-page-edit-permissions) in order to control the page edit permissions. Now I'm wondering if it's possible to hide the "none-ediable" language-tabs instead of striking them through.

      Many greets...
       
    • By Kiwi Chris
      I have a role that has page edit, view, and clone permissions on a specific template.
      If a page using the template is locked by a user in a role with lock/unlock permissions on the template , the only button alongside it in the page tree is view, for users who don't have lock/unlock permissions.
      If however, I also give the role page-lock permission on the template, they then get additional buttons, edit, copy, and unlock.
      I don't actually want to give this role unlock permissions, but I do want the copy (clone) button to display alongside the page in the page tree.
      Elsewhere, I've discussed how I've worked out how to create a hook to unlock the copy, but I want to keep the original page so a user without lock permissions can't unlock from the page tree it to make changes.
      Question: What method should I hook into to intercept any attempt to change the lock status?
    • By pwFoo
      Hi,
      I try to add page-edit-own and page-delete-own permissions, but it's strange...
      If a add the custom permissions it looks like both are children of page-edit respectively page-delete. I played with added / revoked permissions, but I can't get it work, that a user of a role just can delete own content.
      First the user can't delete any content and now the user can delete own and foreign pages 🤪
      Is there a tutorial to learn more about the PW permissions?
      Or do I have to rename the permissions to page-own-edit and page-own-delete to be independent from page-edit and page-delete?
    • By benbyf
      not sure why but PW adds any uploads as permissions 600 (e.g. images wont load after upload unless i go in with the same server user and change permissions to 755 or similar). This ever happened to any one else?
×
×
  • Create New...