[Security] Permissions on config.php

pronto

Joined: 2007-02-06
Posts: 17

Posted: Sun, 2011-04-24 13:23

Hi Community,

I found an inconsitency in the permission settings on the config.php file.

Quote:

Filesystem permissions of config.php: Make sure no one but you / the webserver can read from (or even write to) the config.php file. Change the permissions of your config.php file with your FTP client to 444 (readable for everyone). Most shared webhosting setups don't allow restricting the permissions more than readable for everyone. In some cases you can restrict it even more.

"Make sure no one can read..." is inconsistent with "Change the permission to 444" because 444 authorized everyone to read the file.

Is it safe to leave this file readable for everyone or should I configure a more secure permission setting like 640 for example? The owner of the file is root, so it should be safe to leave it writeable for root, isn't it?

Thx & Bye Tom

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Sun, 2011-04-24 15:41

That won't work at most hosts. It needs to be readable by the webserver, for most hosts that means making it readable by everyone, thus 444. Read the entire statement you quoted, the last sentence "In some cases you can restrict is even more" covers your case. If your a sysadmin set it how ever you want so that your web server can still read it.
____________________________________________
Like Gallery? Like the support? Donate now!

pronto

Joined: 2007-02-06
Posts: 17

Posted: Sun, 2011-04-24 16:12

Thx, it works fine with www-data as owner and 640 as permission setting.

Thx & Bye Tom

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Sun, 2011-04-24 16:57

If www-data is the owner then 600 or 400 would be sufficient.
____________________________________________
Like Gallery? Like the support? Donate now!

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Mon, 2011-04-25 09:01

'What is needed for *.php files are "644" permissions. You can set them to "444" if you are one of those paranoid types who would have trouble sleeping at night otherwise.'

This, in effect, is what the docs (correctly) say.

--
dakanji.com

pronto

Joined: 2007-02-06
Posts: 17

Posted: Mon, 2011-04-25 10:46

I've no trouble with write permission for the owner but I had trouble with read permissions for everyone, because the config.php contains a lot of sensible data. I'm the owner of ther server, so we can discuss if it is the possible to catch this data over the webinterface. This is indeed a blind spot in my knowledge.

Thx & Bye Tom

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Mon, 2011-04-25 13:50

"everyone" in this context is other users on the server. If you are the only user on the server, then you're over thinking your problem. "everyone" doesn't mean that anyone can connect to the server and read the data. The only way those files would ever be served for people to see the contents was if php wasn't installed.
____________________________________________
Like Gallery? Like the support? Donate now!

Dayo

Joined: 2005-11-04
Posts: 1642

Posted: Thu, 2011-04-28 15:09

pronto wrote:

This is indeed a blind spot in my knowledge.

Such a realisation is the first step towards enlightenment.
While you move towrds nirvana, set your file permissions to 644 in the meantime and sleep easy.

--
dakanji.com

pronto Joined: 2007-02-06 Posts: 17	Posted: Sun, 2011-04-24 13:23
	Hi Community, I found an inconsitency in the permission settings on the config.php file. Quote: Filesystem permissions of config.php: Make sure no one but you / the webserver can read from (or even write to) the config.php file. Change the permissions of your config.php file with your FTP client to 444 (readable for everyone). Most shared webhosting setups don't allow restricting the permissions more than readable for everyone. In some cases you can restrict it even more. "Make sure no one can read..." is inconsistent with "Change the permission to 444" because 444 authorized everyone to read the file. Is it safe to leave this file readable for everyone or should I configure a more secure permission setting like 640 for example? The owner of the file is root, so it should be safe to leave it writeable for root, isn't it? Thx & Bye Tom
	XUser login Username: * Password: * Create new account Request new password
nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Sun, 2011-04-24 15:41
	That won't work at most hosts. It needs to be readable by the webserver, for most hosts that means making it readable by everyone, thus 444. Read the entire statement you quoted, the last sentence "In some cases you can restrict is even more" covers your case. If your a sysadmin set it how ever you want so that your web server can still read it. ____________________________________________ Like Gallery? Like the support? Donate now!

pronto Joined: 2007-02-06 Posts: 17	Posted: Sun, 2011-04-24 16:12
	Thx, it works fine with www-data as owner and 640 as permission setting. Thx & Bye Tom

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Sun, 2011-04-24 16:57
	If www-data is the owner then 600 or 400 would be sufficient. ____________________________________________ Like Gallery? Like the support? Donate now!

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Mon, 2011-04-25 09:01
	'What is needed for *.php files are "644" permissions. You can set them to "444" if you are one of those paranoid types who would have trouble sleeping at night otherwise.' This, in effect, is what the docs (correctly) say. -- dakanji.com

pronto Joined: 2007-02-06 Posts: 17	Posted: Mon, 2011-04-25 10:46
	I've no trouble with write permission for the owner but I had trouble with read permissions for everyone, because the config.php contains a lot of sensible data. I'm the owner of ther server, so we can discuss if it is the possible to catch this data over the webinterface. This is indeed a blind spot in my knowledge. Thx & Bye Tom

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Mon, 2011-04-25 13:50
	"everyone" in this context is other users on the server. If you are the only user on the server, then you're over thinking your problem. "everyone" doesn't mean that anyone can connect to the server and read the data. The only way those files would ever be served for people to see the contents was if php wasn't installed. ____________________________________________ Like Gallery? Like the support? Donate now!

Dayo Joined: 2005-11-04 Posts: 1642	Posted: Thu, 2011-04-28 15:09
	pronto wrote: This is indeed a blind spot in my knowledge. Such a realisation is the first step towards enlightenment. While you move towrds nirvana, set your file permissions to 644 in the meantime and sleep easy. -- dakanji.com

[Security] Permissions on config.php

XUser login