[Home :: Help :: Search :: Login :: Register]
News:

Welcome, Guest. Please login or register.
April 18, 2014, 04:15:22 PM
Pages: [1]   Go Down
Send this topic Print
Author Topic: Setting the File Permissions in Noah's Classifieds  (Read 5790 times)
noahsv8
Administrator
Hero Member
*****

Karma: +65535/-0
Posts: 2747
10338.00 credits

View Inventory
Send Money to noahsv8

WWW
« on: April 03, 2010, 05:38:43 PM »

  Setting up file permissions

Noah's Classifieds must store the uploaded pictures and media files, writes error log and caches the RSS feed. To be able to do this, Noah's needs sufficient permissions to write these files. At the same time, leaving the permissions too loose can introduce security risks.

Noah's Classifieds is executed by PHP, so the PHP process needs to be able to write to these files. The PHP process usually runs with the permissions of the webserver, so the webserver needs to be able to write to these files.

The following permissions must be modified for the respective Noah's Classifieds functions to work:

    * pictures/cats and pictures/listings/ directories: all files in including the directories themselves must be writeable by the web process for Noah's Classifieds to handle image uploads.
    * upload directory: this directory must be writeable by the web process for the media file upload to work
    * feedcreator directory: this directory must be writeable by the web process for the RSS feature to work
    * logs directory: this directory must be writeable by the web process for the error logging to work
    * themes/modern/css and themes/classic/css directory: these directories must be readable by the public for style sheets to display. 755 works fine.

As admin, you can check the necessary file permissions any time by clicking on the Check menu point :!:

During the installation, the install script attempts to create a file called config.php in the app directory - this file is used to store the database access parameters. Without this, Noah's couldn't connect to the database and would not work at all. If the install script has not enough permissions to create it, the install wizard displays the code in the browser that you must copy and paste, and you have to manually create the config.php with this content!

Unix

This will apply if you install Noah's Classifieds on a Linux, MacOS X or other Unixoid system. It is most probably also true for rented web space.

Note: under Linux additional file system ACLs (FACL) may apply, confer the commands “getfacl” and “setfacl” – file permissions as described below may be meaningless if there are no rights according to FACLs.

File Permissions, a short reminder

This is not the place to explain the UNIX file permission system in detail. See Wikipedia for this. Here is just a short refresher:

    * Permissions for a file are dependent of the file's owner and group and the user who tries to access the file
    * There are permissions for read, write and execute
    * Each UNIX process runs with the permissions of an OS user and his groups
    * The web server is a UNIX process
    * PHP usually runs as part of the web server
    * Noah's Classifieds will run with the permissions of the PHP processor
    * Noah's Classifieds needs read, write and execute permissions for directories it needs to create files in
    * Noah's Classifieds needs read and write permissions for files it needs to write to
    * Noah's Classifieds needs read only permissions for files and directories it doesn't need to write to

To find the user and group your PHP process (web server) run under you could try to run the following PHP script:



if(function_exists('posix_geteuid')){
// use posix to get current uid and gid
$uid = posix_geteuid();
$usr = posix_getpwuid($uid);
$user = $usr['name'];
$gid = posix_getegid();
$grp = posix_getgrgid($gid);
$group = $grp['name'];

}else{
// try to create a file and read it's ids
$tmp = tempnam ('/tmp', 'check');
$uid = fileowner($tmp);
$gid = filegroup($tmp);


// try to run ls on it
$out = `ls -l $tmp`;
$lst = explode(' ',$out);
$user = $lst[2];
$group = $lst[3];
unlink($tmp);

}

echo "Your PHP process seems to run with the UID $uid ($user) and the GID $gid ($group)\n"; ?>

Alternatively, you can use short script with phpinfo(), see section User/Group in output:


phpinfo();

?>

Common Permissions

Here are the most commonly used values for setting permissions on directories and files.

 

 

directories
   

files
   

result

0700
   

0600
   

read/write for owner only. Owner must be the same as the PHP process user.

0770
   

0660
   

read/write for owner and group. The PHP process user needs to be in the used group

0777
   

0666
   

read/write for everyone. Dangerous everybody with access to the server may write and delete your files. Use only as last resort on trusted machines.

 

 

Which permissions to set?

So, how should you set the permissions of the directories mentioned above? In general you should try to set the permissions as restrictive as possible, but there is no general rule which permissions you need to set for your system. On a Linux server with a conventional configuration, however, executing the following commands will do the job:

find -type f -exec chmod 644 {} \;
find -type d -exec chmod 711 {} \;
find pictures upload logs feedcreator -type f -exec chmod 666 {} \;
find pictures upload logs feedcreator -type d -exec chmod 777 {} \;
chmod 755 lang themes gorum/captcha/fonts ecomm/gateways
find themes -name css -type d -exec chmod 755 {} \;

If you have root (super user rights) you can change the owner of files and directories. This means you can change the owner of the Noah's Classifieds files to the web server user (eg. www-data or nobody or apache) and set the permissions to webserver only access. Eg. 0600 for files and 0700 for directories.

If you are a normal user you may be a member of the web server group and can change the files to be owned by this group. Then set the files and directories to be writable by this group. Eg. 0660 for files and 0770 for directories.

If you are alone on the server or running in a completely trusted environment you can simply change the permissions to give everyone access. Eg. 0666 for files and 0777 for directories.

If you're running on a shared web server it is recommended to contact your web server administrator or hosting support and ask for help and recommendations. Point them to this page and they should know what you need to do.

How to set permissions?

On the command line use chmod for changing permissions, chown for changing the owner of files and dirs and chgrp for changing the group. (Note that chown and chgrp may not be available or function as expected if you use a shared web hosting provider.)

When accessing your server through FTP, consult the manual of your FTP tool. Most graphical FTP tools have a dialog to set permissions (often to be found in the right-click context menu).

On some UN*X-like systems, you may be able to use filesystem ACLs to allow the PHP user to write to the files as well. For Sun's ZFS, see the Solaris ZFS Administrator's guide for details. For POSIX-draft compliant filesystems, like Linux ext2/3 or Sun's UFS on Solaris 8 or later, see the man pages for setfacl and getfacl.

Check with your system administrator – some backup systems will ignore ACLs on files. If available, ACLs are more secure than adding the PHP user to your group, giving away the files to the PHP user, or making the files world-writable.
Report to moderator   Logged
Pages: [1]   Go Up
Send this topic Print
Set topic sticky
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.12 | SMF © 2011, Simple Machines
Clean and Clear Theme © wdm2005
Valid XHTML 1.0! Valid CSS!