Configuration.php permissions.

[arjo2000]

I hope the forum can help clarify this issue for me. My site is on a shared server. My configuration.php permissions are set to 400 as in my understanding it is not necessary, nor advisable for the world to read this file. Only the owner/group/webserver needs to have access. My website runs fine with this setting. However, when i change the configuration settings from within Joomla admin, the file is overwritten and the permissions change to 444. My site still runs fine without any issues noticed so far. I then login into my cPanel and change the permissions back to 400. I also have protection for the configuration.php file in .htaccess. If permissions are to 644 as advised in the Joomla Security FAQs, then if something went really wrong, the webserver could deliver the file contents for all the world to see? Is it not better to set permissions to a level to ensure that the world can never ever read this file under any circumstances? So what are appropriate settings for maximum security? Any comments would be appreciated. Thank you.

[fw116]

with a secure webserver setup , the websever will deliver nothing to anybody...

in the php.ini is a option for this:

disable_functions = show_source,

with this option enabeld the webserver will display no php source at all...

[communique]

arjo2000, read this thread: Something odd after upgrading from J! 1.0 to 1.58. Unfortunately, there hasn't been a definitive explanation for where seeing.

Although my installation was a new install of 1.58 (at the time), I experienced the same thing.

[musiczineguy]

arjo2000, read this thread: Something odd after upgrading from J! 1.0 to 1.58. Unfortunately, there hasn't been a definitive explanation for where seeing.

with a secure webserver setup , the websever will deliver nothing to anybody...

in the php.ini is a option for this:

disable_functions = show_source,

with this option enabeld the webserver will display no php source at all...

No, my original question has not been definitively answered -- but at least knowing the behavior (whether it's right or wrong) helps in creating a strategy to deal with it.

And the show_source nugget is a very good one. That will go into my php.ini immediately!

[arjo2000]

My thanks to all for this advice. I checked with my webhost and they agree that setting the php directive disable_functions = show_source is a good strategy and that with this directive set, the file permissions should be safe at 644. They have now done this for me.

However, would it be advisable to also use this directive in any local php.ini files as I have several individual websites as add-on domains under one hosting account. Each add-on domain is in its own folder and the php.ini file governing all of the websites is directly under public_html.

I guess I am a bit paranoid about security since being hacked a couple of times. Are there any issues with these files being set to 400 anyway as long as the site runs correctly? I would have thought that every bit of extra security would be a good thing. In any case if 644 is advisable and safe then i will adjust the permissions accordingly. Thanks again.

[musiczineguy]

My thanks to all for this advice. I checked with my webhost and they agree that setting the php directive disable_functions = show_source is a good strategy and that with this directive set, the file permissions should be safe at 644. They have now done this for me.

However, would it be advisable to also use this directive in any local php.ini files as I have several individual websites as add-on domains under one hosting account. Each add-on domain is in its own folder and the php.ini file governing all of the websites is directly under public_html.

I guess I am a bit paranoid about security since being hacked a couple of times. Are there any issues with these files being set to 400 anyway as long as the site runs correctly? I would have thought that every bit of extra security would be a good thing. In any case if 644 is advisable and safe then i will adjust the permissions accordingly. Thanks again.

You have to experiment and see what works -- Generally 644 for files and 755 for folders is considered 'safe'. Anything you can do to further lock down permissions without harming the function of your site(s) is certainly a plus.

As for php.ini, there are a ton of posts about what you should or shouldn't do recursively with this file, based on how your host is set up. Also, should you decide it's necessary to create multiple copies of your php.ini, there are some very handy scripts you can use to maintain them. These scripts are also heavily discussed throughout the forum.

Good luck!

[arjo2000]

My thanks to everyone who helped me out. Cheers.