Jump to content

config.php install warnings and permissions

Recommended Posts


Context: I use serverpilot to setup and administrate my server patches for my hosted sites. As with many other serving companies, they write tutorials to setup software on their service. I asked them to provide a PW installation instruction and they have obliged however hitting on the following issue on installation with their default linux user:



"When I worked through the installation, I saw the .htaccess warning also, but that resolved itself after I clicked "Check Again." The second issue was the config.php warning. I guess we were thinking the installer would go through and set the correct file and directory permissions when it asked for them, because almost nothing has the 755/644 values set:

serverpilot:~/apps/processwire/public/site$ ll
total 44
drwxrwxr-x+ 5 serverpilot serverpilot 4096 Jun 14 16:03 ./
drwxrwxr-x+ 4 serverpilot serverpilot 4096 Jun 14 16:03 ../
drwxrwxr-x+ 6 serverpilot serverpilot 4096 Jun 14 16:03 assets/ - 775
-rw-rw-r--+ 1 serverpilot serverpilot 2598 Jun 14 16:03 config.php - 664
drwxr-xr-x+ 4 serverpilot serverpilot 4096 Jun 14 16:03 modules/ - 755
drwxrwxr-x+ 5 serverpilot serverpilot 4096 May 5 17:43 templates/ - 775

serverpilot: /srv/users/serverpilot/apps/processwire/public# find . -perm -775 | wc -l
serverpilot: :/srv/users/serverpilot/apps/processwire/public# find . -perm -664 | wc -l

We can instruct people it's safe to ignore the warning, because ServerPilot's fACL's will prevent any security issues; we just thought a more elegant solution would be to have the correct permissions set by the installer to allay any concerns people might have. If the dev team prefers not to make any changes, we of course understand."


Basically at the end of the installation there is a warning to secure your config file which could have been done already by the system, I believe they're saying. Is there anything we can do with this, or should i ask them to carry on with the caveat that they should but in a bit of text saying this warning is normal and can be sorted in teh follow ways etc...?

Interested in people's opinion.

Share this post

Link to post
Share on other sites

Maybe here's a bit more information about it: https://processwire.com/docs/security/file-permissions/#securing-your-site-config.php-file

Also the installer option for file/folder permissions wasn't present in earlier versions of processwire if I recall correctly(https://github.com/ryancramerdesign/ProcessWire/commit/f7c308566bebf0d39e8ec688d1e7795bf0c17f50) and it seems like it was only added to supply the values into the config.php and not to do any permission changes on installation. I think that's the confusion here: That modules/assets/templates weren't updated with the chmod setting supplied in the installer.

Making the config.php readonly by default is not something i would advice, because it can firstly brick your installation and secondly it will prevent any runtime changes to this file and there are modules out there which do write to that file.

So it would probably be nice to have the option, that the installer does also clean up any incorrect file/folder permission when installing – possibly even by default, because it'll show incorrect settings much earlier and not if the first file uploads do fail or something like that. Making the config.php readonly should still be considered a manual or at least a opt-in task.

  • Like 1

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By snck
      for a project I have pages with different “content areas“ that can be edited only by specific user roles. In the past I setup a fieldset (tab) containing all the fields that should be available to only one specific group of users and set the fields' view and edit permissions (in the Access tab) accordingly. The result was as expected: Users assigned to the specific role could see the tab, click on it, edit content, users without the role could not see the tab. After updating this installation to 3.0.148 yesterday I wanted to setup another tab following the same principle, but I have no "Access" tab for the fieldset to limit access to the specific role. I even tried cloning an existing (and still working) fieldset. The existing fieldset has some template overrides (screenshot attached) that lead to the desired behaviour, but I am not able to reproduce these settings because there is not "Access" tab for my fieldset in template context either.
      Is this a bug in 3.0.148? Has the fieldset fieldtype changed? Am I missing anything here?
      I am glad to hear from you guys.

    • By fruid
      this is the first time I'm using ProcessWire.
      I thought I get how fields, template and pages work, but when I create a template in the CMS, it doesn't generate any file in site/templates/
      Then I thought I might need to create a blank file myself manually on the FTP (which already seems odd to me).
      Once I did that, I tried to add fields to the template but again, doesn't write to the php file.
      When I create a new page and apply said template to it, the page stay blank.
      AFAIK the mod_rewrite of the apache is on and I went for the worst case scenario described here https://processwire.com/docs/security/file-permissions/ and set all file-permissions for future files to 0666 and folders to 0777 in the config.php
      What am I not getting and what am I doing wrong?
      Help is appreciated, stay save everybody,
    • By MarkE
      Having just wasted the best part of a day debugging an access issue because I hadn't realised that page-edit-created negated any related page-edit permissions, could I suggest that a note to this effect is included in the default title. I have amended the title on my system to read:
      Edit only pages user has created (IMPORTANT: This will negate any related page-edit permission - including permissions granted to a user by other roles) ..although it may be possible to make it briefer while not losing clarity and impact.
    • By lenoir
      Is it possible to let people edit a page without having to have a user-role?
      My case is the following:
      Visitors fill in a form (Formbuilder) which is saved to pages. They get a confirmation email which could contain a unique editing link. In case they need to update some information, they can click on this link, edit the fields and save. 
      Am I totally off? Is there a better practice? 
    • By DV-JF
      I'm using this kind of setup (https://processwire.com/blog/posts/language-access-control-and-more-special-permissions/#language-page-edit-permissions) in order to control the page edit permissions. Now I'm wondering if it's possible to hide the "none-ediable" language-tabs instead of striking them through.

      Many greets...
  • Create New...