Configuration.php permissions.

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
arjo2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Jul 04, 2008 8:52 am

Configuration.php permissions.

Postby arjo2000 » Mon Jan 19, 2009 6:26 am

I hope the forum can help clarify this issue for me. My site is on a shared server. My configuration.php permissions are set to 400 as in my understanding it is not necessary, nor advisable for the world to read this file. Only the owner/group/webserver needs to have access. My website runs fine with this setting. However, when i change the configuration settings from within Joomla admin, the file is overwritten and the permissions change to 444. My site still runs fine without any issues noticed so far. I then login into my cPanel and change the permissions back to 400. I also have protection for the configuration.php file in .htaccess. If permissions are to 644 as advised in the Joomla Security FAQs, then if something went really wrong, the webserver could deliver the file contents for all the world to see? Is it not better to set permissions to a level to ensure that the world can never ever read this file under any circumstances? So what are appropriate settings for maximum security? Any comments would be appreciated. Thank you.

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Configuration.php permissions.

Postby fw116 » Mon Jan 19, 2009 10:25 am

with a secure webserver setup , the websever will deliver nothing to anybody...

in the php.ini is a option for this:

disable_functions = show_source,

with this option enabeld the webserver will display no php source at all...

communique
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Sun Mar 23, 2008 12:01 pm
Location: Ohio

Re: Configuration.php permissions.

Postby communique » Mon Jan 19, 2009 3:20 pm

arjo2000, read this thread: Something odd after upgrading from J! 1.0 to 1.58. Unfortunately, there hasn't been a definitive explanation for where seeing.

Although my installation was a new install of 1.58 (at the time), I experienced the same thing.
Bill

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 190
Joined: Sat Nov 11, 2006 5:01 am
Location: Latham, NY

Re: Configuration.php permissions.

Postby musiczineguy » Mon Jan 19, 2009 8:28 pm

communique wrote:arjo2000, read this thread: Something odd after upgrading from J! 1.0 to 1.58. Unfortunately, there hasn't been a definitive explanation for where seeing.

fw116 wrote:with a secure webserver setup , the websever will deliver nothing to anybody...

in the php.ini is a option for this:

disable_functions = show_source,

with this option enabeld the webserver will display no php source at all...


No, my original question has not been definitively answered -- but at least knowing the behavior (whether it's right or wrong) helps in creating a strategy to deal with it.

And the show_source nugget is a very good one. That will go into my php.ini immediately!

arjo2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Jul 04, 2008 8:52 am

Re: Configuration.php permissions.

Postby arjo2000 » Mon Jan 19, 2009 10:54 pm

My thanks to all for this advice. I checked with my webhost and they agree that setting the php directive disable_functions = show_source is a good strategy and that with this directive set, the file permissions should be safe at 644. They have now done this for me.

However, would it be advisable to also use this directive in any local php.ini files as I have several individual websites as add-on domains under one hosting account. Each add-on domain is in its own folder and the php.ini file governing all of the websites is directly under public_html.

I guess I am a bit paranoid about security since being hacked a couple of times. Are there any issues with these files being set to 400 anyway as long as the site runs correctly? I would have thought that every bit of extra security would be a good thing. In any case if 644 is advisable and safe then i will adjust the permissions accordingly. Thanks again.

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 190
Joined: Sat Nov 11, 2006 5:01 am
Location: Latham, NY

Re: Configuration.php permissions.

Postby musiczineguy » Tue Jan 20, 2009 1:45 am

arjo2000 wrote:My thanks to all for this advice. I checked with my webhost and they agree that setting the php directive disable_functions = show_source is a good strategy and that with this directive set, the file permissions should be safe at 644. They have now done this for me.

However, would it be advisable to also use this directive in any local php.ini files as I have several individual websites as add-on domains under one hosting account. Each add-on domain is in its own folder and the php.ini file governing all of the websites is directly under public_html.

I guess I am a bit paranoid about security since being hacked a couple of times. Are there any issues with these files being set to 400 anyway as long as the site runs correctly? I would have thought that every bit of extra security would be a good thing. In any case if 644 is advisable and safe then i will adjust the permissions accordingly. Thanks again.



You have to experiment and see what works -- Generally 644 for files and 755 for folders is considered 'safe'. Anything you can do to further lock down permissions without harming the function of your site(s) is certainly a plus.

As for php.ini, there are a ton of posts about what you should or shouldn't do recursively with this file, based on how your host is set up. Also, should you decide it's necessary to create multiple copies of your php.ini, there are some very handy scripts you can use to maintain them. These scripts are also heavily discussed throughout the forum.

Good luck!

arjo2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Jul 04, 2008 8:52 am

Re: Configuration.php permissions.

Postby arjo2000 » Tue Jan 20, 2009 10:26 am

My thanks to everyone who helped me out. Cheers. :)


Return to “Security in Joomla! 1.5”

Who is online

Users browsing this forum: No registered users and 1 guest