config.php install warnings and permissions

[benbyf]

HELLO ALL!

Context: I use serverpilot to setup and administrate my server patches for my hosted sites. As with many other serving companies, they write tutorials to setup software on their service. I asked them to provide a PW installation instruction and they have obliged however hitting on the following issue on installation with their default linux user:

Issue:

Quote

"When I worked through the installation, I saw the .htaccess warning also, but that resolved itself after I clicked "Check Again." The second issue was the config.php warning. I guess we were thinking the installer would go through and set the correct file and directory permissions when it asked for them, because almost nothing has the 755/644 values set:

serverpilot:~/apps/processwire/public/site$ ll
total 44
drwxrwxr-x+ 5 serverpilot serverpilot 4096 Jun 14 16:03 ./
drwxrwxr-x+ 4 serverpilot serverpilot 4096 Jun 14 16:03 ../
drwxrwxr-x+ 6 serverpilot serverpilot 4096 Jun 14 16:03 assets/ - 775
-rw-rw-r--+ 1 serverpilot serverpilot 2598 Jun 14 16:03 config.php - 664
drwxr-xr-x+ 4 serverpilot serverpilot 4096 Jun 14 16:03 modules/ - 755
drwxrwxr-x+ 5 serverpilot serverpilot 4096 May 5 17:43 templates/ - 775

serverpilot: /srv/users/serverpilot/apps/processwire/public# find . -perm -775 | wc -l
213
serverpilot: :/srv/users/serverpilot/apps/processwire/public# find . -perm -664 | wc -l
1676

We can instruct people it's safe to ignore the warning, because ServerPilot's fACL's will prevent any security issues; we just thought a more elegant solution would be to have the correct permissions set by the installer to allay any concerns people might have. If the dev team prefers not to make any changes, we of course understand."

 

Basically at the end of the installation there is a warning to secure your config file which could have been done already by the system, I believe they're saying. Is there anything we can do with this, or should i ask them to carry on with the caveat that they should but in a bit of text saying this warning is normal and can be sorted in teh follow ways etc...?

Interested in people's opinion.

[LostKobrakai]

Maybe here's a bit more information about it: https://processwire.com/docs/security/file-permissions/#securing-your-site-config.php-file

Also the installer option for file/folder permissions wasn't present in earlier versions of processwire if I recall correctly(https://github.com/ryancramerdesign/ProcessWire/commit/f7c308566bebf0d39e8ec688d1e7795bf0c17f50) and it seems like it was only added to supply the values into the config.php and not to do any permission changes on installation. I think that's the confusion here: That modules/assets/templates weren't updated with the chmod setting supplied in the installer.

Making the config.php readonly by default is not something i would advice, because it can firstly brick your installation and secondly it will prevent any runtime changes to this file and there are modules out there which do write to that file.

So it would probably be nice to have the option, that the installer does also clean up any incorrect file/folder permission when installing – possibly even by default, because it'll show incorrect settings much earlier and not if the first file uploads do fail or something like that. Making the config.php readonly should still be considered a manual or at least a opt-in task.