The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Mon Jan 19, 2009 6:26 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 04, 2008 8:52 am
Posts: 12
I hope the forum can help clarify this issue for me. My site is on a shared server. My configuration.php permissions are set to 400 as in my understanding it is not necessary, nor advisable for the world to read this file. Only the owner/group/webserver needs to have access. My website runs fine with this setting. However, when i change the configuration settings from within Joomla admin, the file is overwritten and the permissions change to 444. My site still runs fine without any issues noticed so far. I then login into my cPanel and change the permissions back to 400. I also have protection for the configuration.php file in .htaccess. If permissions are to 644 as advised in the Joomla Security FAQs, then if something went really wrong, the webserver could deliver the file contents for all the world to see? Is it not better to set permissions to a level to ensure that the world can never ever read this file under any circumstances? So what are appropriate settings for maximum security? Any comments would be appreciated. Thank you.


Top
 Profile  
 
PostPosted: Mon Jan 19, 2009 10:25 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Tue Sep 06, 2005 11:18 am
Posts: 1365
Location: Germany
with a secure webserver setup , the websever will deliver nothing to anybody...

in the php.ini is a option for this:

disable_functions = show_source,

with this option enabeld the webserver will display no php source at all...

_________________
http://www.schrammen.net


Top
 Profile  
 
PostPosted: Mon Jan 19, 2009 3:20 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Mar 23, 2008 12:01 pm
Posts: 23
Location: Ohio
arjo2000, read this thread: Something odd after upgrading from J! 1.0 to 1.58. Unfortunately, there hasn't been a definitive explanation for where seeing.

Although my installation was a new install of 1.58 (at the time), I experienced the same thing.

_________________
Bill


Top
 Profile  
 
PostPosted: Mon Jan 19, 2009 8:28 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
communique wrote:
arjo2000, read this thread: Something odd after upgrading from J! 1.0 to 1.58. Unfortunately, there hasn't been a definitive explanation for where seeing.

fw116 wrote:
with a secure webserver setup , the websever will deliver nothing to anybody...

in the php.ini is a option for this:

disable_functions = show_source,

with this option enabeld the webserver will display no php source at all...


No, my original question has not been definitively answered -- but at least knowing the behavior (whether it's right or wrong) helps in creating a strategy to deal with it.

And the show_source nugget is a very good one. That will go into my php.ini immediately!


Top
 Profile  
 
PostPosted: Mon Jan 19, 2009 10:54 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 04, 2008 8:52 am
Posts: 12
My thanks to all for this advice. I checked with my webhost and they agree that setting the php directive disable_functions = show_source is a good strategy and that with this directive set, the file permissions should be safe at 644. They have now done this for me.

However, would it be advisable to also use this directive in any local php.ini files as I have several individual websites as add-on domains under one hosting account. Each add-on domain is in its own folder and the php.ini file governing all of the websites is directly under public_html.

I guess I am a bit paranoid about security since being hacked a couple of times. Are there any issues with these files being set to 400 anyway as long as the site runs correctly? I would have thought that every bit of extra security would be a good thing. In any case if 644 is advisable and safe then i will adjust the permissions accordingly. Thanks again.


Top
 Profile  
 
PostPosted: Tue Jan 20, 2009 1:45 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
arjo2000 wrote:
My thanks to all for this advice. I checked with my webhost and they agree that setting the php directive disable_functions = show_source is a good strategy and that with this directive set, the file permissions should be safe at 644. They have now done this for me.

However, would it be advisable to also use this directive in any local php.ini files as I have several individual websites as add-on domains under one hosting account. Each add-on domain is in its own folder and the php.ini file governing all of the websites is directly under public_html.

I guess I am a bit paranoid about security since being hacked a couple of times. Are there any issues with these files being set to 400 anyway as long as the site runs correctly? I would have thought that every bit of extra security would be a good thing. In any case if 644 is advisable and safe then i will adjust the permissions accordingly. Thanks again.



You have to experiment and see what works -- Generally 644 for files and 755 for folders is considered 'safe'. Anything you can do to further lock down permissions without harming the function of your site(s) is certainly a plus.

As for php.ini, there are a ton of posts about what you should or shouldn't do recursively with this file, based on how your host is set up. Also, should you decide it's necessary to create multiple copies of your php.ini, there are some very handy scripts you can use to maintain them. These scripts are also heavily discussed throughout the forum.

Good luck!


Top
 Profile  
 
PostPosted: Tue Jan 20, 2009 10:26 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 04, 2008 8:52 am
Posts: 12
My thanks to everyone who helped me out. Cheers. :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 



Who is online

Users browsing this forum: No registered users and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group