Joomla! Discussion Forums

Site one settings

Global configuration Globals set to OFF
Config. php if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); }
Globals.php  if( defined( 'RG_EMULATION' ) === false ) {
// The configuration file is old so default to on
define( 'RG_EMULATION', 0 );

Site two setting

Global configuration Globals set to OFF
Config. php if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); }
Globals.php  if( defined( 'RG_EMULATION' ) === false ) {
// The configuration file is old so default to on
define( 'RG_EMULATION', 0 );

As you can see exactly the same

But, in site one i get a warning in admin interface that globals are on instead of off.

What seems to be the problem?

Yoda, are they on the same server / hoster?  Not saying it is but it could be that one has turned Globals ON and the other has them off and your local settings are being ignored.

Actually they are on different servers.

Check the php info and see if php is running as cgi on the first site. 

I recently moved a site from one server to another. Same hosting service and register globals is on by default on both servers.  After moving the site Joomla complained that register globals complained that it was on.

Php was running as cgi on the new server and I had to place local php.ini files in the site root and the admin directory. Well I actually used a script to place a php.ini (BT's Scripts) in all directories. That solved the problem.

Something to look at anyway.

Forgive me if I've gone off half-cocked, as it were, but if I'm not mistaken all those settings you've listed apply to 'register globals emulation', a feature/function of Joomla!, and perhaps the message you're getting refers to php's register_globals setting?

Just a thought, anyway (fyi - if this is the case, you probably want this link http://help.joomla.org/component/option,com_easyfaq/task,view/id,101/Itemid,268/)

hope you find your problem,

Simon

should i make some changes to my files or it will function properly with settings like this, everything to zero.?

It'll certainly function like that, I'm sure.

However, if it was my site, I'd do whatever is necessary to make sure register_globals and Joomla!'s 'register globals emulation' are off.

I'm not an expert on these things, but I've read volumes on the security forums here and elsewhere, and it seems that a huge percentage of all potential exploits can be stopped in their tracks if this setting is off.  It can cause some compatibility issues with some software as I understand it, though I have to say I have no experience of this - nothing I've tried to use has required rg = on, and I've played with plenty.  In addition, again as I understand it, it seems to me that any extensions etc. which do require this setting are probably not exactly masterpieces of php coding, and may be best avoided anyway...

I'd find a way to make sure it's off.  if it's the 'register globals emulation' then I'm not sure what's up (still have most of my site's on 1.0.12, but as far as I can see those settings you list should do the job on 1.0.13), but if it's php's register_globals setting you'll be needing to do something somewhere with either php.ini file(s) or .htaccess, depending on your environment.  sorry I can't be more specific on that.  follow the links - here's another good one http://forum.joomla.org/index.php/topic,75990.0.html  There are a million discussions of this topic on these boards (almost literally)!

good luck!

Simon

Yes, i read a lot of them but still couldnt figure out the problem. I need to change my host. This host with register globals really suck and this one where eveything is ok is great. Fast, secure and really great. I will transfer my site asap.

Thank Simon very much.

If the server in question has register globals set to on, then you need to turn it off for your site. There are two ways of doing this.

If the server is running php as cgi, which Joomla admin system, system info, php info, server API will tell you, 

You must at least place a file named php.ini with the line register_globals = Off in it in the root directory of your Joomla site and you must also place the same file in the joomla administrator directory. This will turn off register globals.

You can use the c-panel file manager to create a text file named php.ini in both directories.  I would also recommend placing the file php.ini in every folder that has php files in it.

The same goes for if the server is running php as an apache module.  Joomla will tell you so.

In this case you must add the line php_flag register_globals off to your .htaccess file in the Joomla root directory to turn off register globals

Another option is to ask tech support to turn off register globals on the server, but they are unlikely to do that in my experience.

There is a wealth of info on this topic and other security topics in the help site and faq's.  It goes a long way to helping make your site secure.

Thanks a lot Phil. I will try to create a php.ini file and copy paste register_globals = Off inside. I will report here my results. Hope you see this topic again. Tnx

Hey Phil my friend register globals are past 

I did what you said. I created a php.ini file with only one line, register globals off and sent it to root directory of my site and to administrator directory. I logged on admin backend and the warning is gone!!! Dust in the wind.

But, wait a minute. Looks like i have safe mode turned on???

Khmm.

Is that ok?

This is the situation.

With php.ini in root and admin directory i have a safe mode turned on and my session tmp/ directory gets unwritable

When i deleted both of php.ini files register globals went to ON, safe mode back to off and session tmp directory became writable.

Try putting these two lines into the php.ini files for / and /administrator directories.

register_globals = Off
safe_mode = off

That should turn off both the register_globals and the safe mode. This may fix the session tmp directory becoming unwritable also.  If not you may have to promote the permissions from 755 on the tmp directory to something higher so that apache can use it.

Is it safe to give 777 permission to tmp directory?

anybody?

Hi Yoda, no idea why there have not been any responses. I think you have a valid question.

All I can offer is my uneducated guess. I don't think setting any folder to 777 is "safe" but perhaps there is something about the Temp folder that makes it unable to run files and therefore less of a security risk than other folders.

At about this time it would be good for the gurus to step in and enlighten us

Permissions are not always straight forward and I can't answer positive one way or the other what an individual directories permissions and ownerships on a particular host server need to be or actually are.  I can make general recommendations and sometimes provide a suggestion on what I did to resolve a certain problem. What works for one person may not work for another. As a site administrator (even low traffic personal website) you have to find the best solution for your server/hosting setup.

In general, directories are set to 755 and files to 644.  Certain directories like the cache and tmp directories need to be set to be readable by the web server. If that means 777, then that is what it will have to be.  Is that setting safe? Not really in my opinion, but certain compromises are normally necessary.  I have 3 sites and on two of them the cache directory needs 777 to function properly. The other site only needs 755 on on the cache directory.

I have noticed that when running php as cgi turning off register_globals will sometimes expose the fact that that php is running safe_mode.  That can normally also be turned off with the command  safe_mode = off in the php.ini file.

A very good article written by RussW. on Joomla, web site permissions/file ownership is:  What does Joomla! have to do with file permissions? http://help.joomla.org/component/option,com_easyfaq/task,view/id,73/Itemid,268/

I recommend reading slow it several times to get a mental picture of the permissions and pay attention to the footnotes at the end.

Other good links are:

Joomla! Help Site http://help.joomla.org

Security & Performance FAQ
http://help.joomla.org/component/option,com_easyfaq/task,cat/catid,226/Itemid,268/

Joomla! Administrator's Security Checklist http://help.joomla.org/component/option,com_easyfaq/task,view/id,167/Itemid,268/

Help! My site's been compromised. Now what? http://help.joomla.org/component/option,com_easyfaq/task,view/id,100/Itemid,268/

Vulnerable Extension List http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/

Joomla! Tools Suite
How can I check my Joomla! installation's overall security and health? http://help.joomla.org/component/option,com_easyfaq/task,view/id,104/Itemid,268/

So, if a directory needs 777 or 757 to function properly, then that is what you set it at, secure or not. If you need 777 to install something, then set it back to 755/644 when done.