Jump to content

misc errors


Marty Walker
 Share

Recommended Posts

Hi,

I'm getting a few errors and I'm not sure what might be causing it.

First, I get:

Security Warning: /site/config.php is writable and ideally should not be.
Security Warning: /site/index.php is writable and ideally should not be.

Both files are set to 444.

The second is when I try to change the template used by a page.

 Template 'page' is not allowed

'page' being my template name. The page has no content.

Regards

Martin

Link to comment
Share on other sites

I cannot say what is causing your first issue, since if those files really are 0444, then you shouldn't see those warnings. The second one: check your parent page template settings: children -> Required Template for Children. You should have "Any" set there, now you might have some template (other than "page") set there, which only allows that template.

PS: I'm not sure but it might be good to have another setting for default template for children? I know that pw is pretty good guessing what template you want (based on the other children pages), but it's not always right.

Link to comment
Share on other sites

I cannot say what is causing your first issue, since if those files really are 0444, then you shouldn't see those warnings. The second one: check your parent page template settings: children -> Required Template for Children. You should have "Any" set there, now you might have some template (other than "page") set there, which only allows that template.

PS: I'm not sure but it might be good to have another setting for default template for children? I know that pw is pretty good guessing what template you want (based on the other children pages), but it's not always right.

That setting is what I missed. Thanks again.

Link to comment
Share on other sites

For a production site, the recommended security is that you don't have any writable PHP files, or any directories where PHP files can be both written and executed. The only directory that ProcessWire needs writable on a production site is /site/assets/. And it's htaccess file excludes any *.php files from being executed in that structure. This may seem like overdoing it to some, but PHP is the most widely used web scripting language and so it gets targeted for exploits kind of like Windows does. So I think it's always good to take some extra precautions.

These messages are only displayed to the superuser role, and they aren't a complete security check, just a few of the most obvious things. If you are still getting those messages, that means that PHP can write to the files indicated. Most likely you are in an environment where PHP is running as you (like PHPSuExec or CGI PHP). If ProcessWire is the only thing you are running on the account, then for myself, I would probably ignore the messages... but I don't want to recommend that per se, as it really depends where your comfort level is.

If you've got anything else running on the account (like WordPress for example) then I wouldn't want my /index.php to be writable (or any PHP files, or directories where PHP files can be written). The reason is that a large number of automated exploits target your root /index.php file simply because it's a known common-denominator. Making it non-writable is just a small thing you can do. Because PHP is running as you, In your case, you'd have to make it non-writable to yourself.  It's up to you to decide whether you think it's necessary or not.

If you want to suppress those warning messages, grab the latest commit and add this to your /site/config.php file:

$config->showSecurityWarnings = false; 
Link to comment
Share on other sites

For the files not found in Safari's activity window, which files?

I'm not suggesting that you change all your site files around, just perhaps your /index.php so that you can prevent some future WordPress hack from appending some Viagra ad to every page in your site. :) There's any number of other things such a hack might go after, so this will only exclude one type (though the one I've seen most often). But I'm not necessarily sure this is worth your effort. Since apache can write to all your files (since it's running as you), you can find some security in making some files readable to everyone, and writable to nobody (including you). In a directory list, the permissions would look like: 

-r--r--r-- 

I don't have the proper permission numbers in my head at the moment, but you could achieve it with:

chmod uog+r-w index.php

In plain English: With (u)ser (o)ther and (g)roup, add +®ead permission and remove -(w)rite permission.

If you need to modify or replace /index.php (like during an upgrade) you'll want to give yourself write permission again:

chmod u+w index.php

If your site was compromised, the hacker could certainly change the permissions too, but large scale automated attacks on WordPress usually aren't so sophisticated.

Another point of view: if your WordPress gets compromised, it's not necessarily a bad thing to have your /index.php writable because most likely you will know very quickly that something has been compromised... rather than finding out weeks later when the hole may have resulted in bigger problems. In both cases where I've seen a compromised WP install write to the /index.php file, it actually just resulted in the site showing a PHP parse error... the exploit didn't check if the file ended with "?>" or not, and it tried to run HTML tags through PHP resulting in a parse error. It was a great red flag alerting the client that something was wrong. :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...