Not anyone who goes to the site can write to it: a webbrowser cannot write files/directories (at least through normal HTTP).

BUT: the recommendations are wrong.. you should never make files like _config.php readable by "world". Because that means, that anyone, who is able to reach the file in another way than through the browser, can WRITE or READ it.

Often, the problem is just that PHP runs as user "nobody" and therefor could not access/read the file, if you would chmod it 660 or 600 for example (which is the recommended setting).

See the new manual that gets currently built: http://manual.b2evolution.net/Install_b2evolution#File_permissions

Please, if you have any suggestions or clarifications, register on the Wiki and just edit it.

Thanks for pointing this out.

Anybody have any idea why my blog quits working when I chmod /blogs/conf/_config.php to 440? I get the error -

Warning: main(/home/XXXXXX/public_html/blogs/b2evocore/../conf/_config.php): failed to open stream: Permission denied in /home/XXXXXX/public_html/blogs/b2evocore/_main.php on line 26

Fatal error: main(): Failed opening required '/home/XXXXXX/public_html/blogs/b2evocore/../conf/_config.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/XXXXXX/public_html/blogs/b2evocore/_main.php on line 26

In case I changed anything and don't remember doing it, line 26 of my b2evocore/_main.php reads -
require_once( dirname(__FILE__).'/../conf/_config.php' );

(The X's replace my username)

I have to chmod to 444 or it won't work, and I know I'm not supposed to do that. Anyone, Anyone?

johnnyv wrote:

Anybody have any idea why my blog quits working when I chmod /blogs/conf/_config.php to 440? I get the error -

Warning: main(/home/XXXXXX/public_html/blogs/b2evocore/../conf/_config.php): failed to open stream: Permission denied in /home/XXXXXX/public_html/blogs/b2evocore/_main.php on line 26

Fatal error: main(): Failed opening required '/home/XXXXXX/public_html/blogs/b2evocore/../conf/_config.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/XXXXXX/public_html/blogs/b2evocore/_main.php on line 26

In case I changed anything and don't remember doing it, line 26 of my b2evocore/_main.php reads -
require_once( dirname(__FILE__).'/../conf/_config.php' );

(The X's replace my username)

I have to chmod to 444 or it won't work, and I know I'm not supposed to do that. Anyone, Anyone?

Before I answer, why do you have to chmod 444? And you realize you stated above that you chmodded them to 440?

Those files should be and can be safely chmod'd to 664

Not neccessarily for your consumption, but for anyone that might need a quick primer in UNIX permissions:

read:4
write: 2
execute: 1

u: user
g: group
o: others

664 = read/write for owner; read/write for group; read for others.

I don't "have"to chmod it to 444, that's just what works. 664 works too. Looking at this link, however -

http://manual.b2evolution.net/Install_b2evolution#File_permissions

tells me that it isn't recommended, so I would assume that 664 would also not be recommended. I'm no expert, by any stretch, but the info on the above link makes sense, so who is right? 8|
John

johnnyv wrote:

I don't "have"to chmod it to 444, that's just what works. 664 works too. Looking at this link, however -

http://manual.b2evolution.net/Install_b2evolution#File_permissions

tells me that it isn't recommended, so I would assume that 664 would also not be recommended. I'm no expert, by any stretch, but the info on the above link makes sense, so who is right? 8|
John

Read what it says specifically:

install wrote:

/blogs/conf/_config.php

This file is critical, because it includes your database password! It needs to be writable by the webserver during installation, if you do not want to manually edit the file. It should have the most restrictive permissions as possible: 600 would be the best, if the owner of the file is the "PHP user" (where PHP gets executed as). If you are not sure, try it in the following order: 600, 660 and (not recommended) 666. After installation the file does not needs to be writable, so you could also use 400, 440 or (not recommended) 444

The not reccomended settings are 666 and 444. The reasons why are explained in my short tutorial above. While its arguable that 664 is a combination of 664, its also arguable that short of a complete and devestating collapse of Apache's php module, you are not going to be "read" passwords and logins out of a php file thats written correctly. b2evolution's _config is one such correctly written file.

blueyed, the writer of that paragraph, is correct in suggesting the usage of the strictest settings one can use. 644 will NOT cause any emminent security problems, however.

As he explained above most Apache installs run as user: nobody and therefore do not work with chmod 600. The first digit controls the owner of the file -- since the user named nobody doesnt own the file, the user nobody cannot read it.

Follow his advice and you will be fine. Follow my advice if his doesnt work, you will be fine.

If you need proof, after you've set permissions, open your _config.php in a browser window. See any passwords? Nope :) Thats the beauty of php.

644 will NOT cause any emminent security problems, however. [...] If you need proof, after you've set permissions, open your _config.php in a browser window. See any passwords? Nope

The problem is, that if the file is world writable/readable _and_ there's no open_basedir restriction for the PHP installation on the server, other users on the shared host can change/read the passwords..!
They could include( '/var/www/someotheruser/public_html/conf/_config.php' ) and echo the DB password.

Thanks for your help. I can sleep at night now, or at least during the day ...

blueyed, i think you mean world readable but your point is well taken - I never considered that. Ubnfortunately, sometimes the web server setup requires that the file be chmod'd that way.

For instance, THIS web server. I know this because my own hosting is on the same box.