1 Topic by charlesroper

  • charlesroper
  • charlesroper
  • Digital Development Manager
  • Offline
  • From: Field Studies Council
  • Registered: 26-03-2006
  • Posts: 906

Topic: Apache write permissions

Is there a list of the files and directories that require WRITE permissions by the warehouse web server? At the moment my Apache server has read+write access everywhere in the web root which means some malicious PHP code could be written to compromise the warehouse.

Charles Roper
Digital Development Manager | Field Studies Council
http://www.field-studies-council.org | https://twitter.com/charlesroper | https://twitter.com/fsc_digital

charlesroper's Website

2 Reply by johnvanbreda

  • johnvanbreda
  • Administrator
  • Offline
  • From: UK
  • Registered: 27-04-2006
  • Posts: 1,237

Re: Apache write permissions

Hi Charles
The installation of the warehouse includes a configuration check covering directory permissions, with the code available in \modules\indicia_setup\helpers\config_test.php in the check_dir_permissions method. You can check the results of this check by going to the home page then clicking to Show Details on the "There are configuration issues on this server" message.
Cheers
John

John van Breda
Biodiverse IT

johnvanbreda's Website

3 Reply by Jim Bacon

  • Jim Bacon
  • Veteran
  • Offline
  • From: BRC
  • Registered: 03-11-2008
  • Posts: 980

Re: Apache write permissions

Hi

If you look at this code that John has directed us to then you will observe that it checks the following folders are writable:
/application/config
/application/cache
/upload
/client_helpers
/client_helpers/upload
/modules/demo

In addition it checks that the following folders are read only:
/reports
/reports/trigger_templates
/modules/indicia_setup/db

I would add the application/logs folder to the list that should be writable.

You could also constrain write access in the client_helpers folder to just the helper_config.php file but then the check on the whole folder being writable would fail, resulting in a warning.

Jim Bacon.

4 Reply by charlesroper

  • charlesroper
  • charlesroper
  • Digital Development Manager
  • Offline
  • From: Field Studies Council
  • Registered: 26-03-2006
  • Posts: 906

Re: Apache write permissions

Thanks chaps.

I'm wondering if the following really do need to be writable:

/application/config
Certain files need to be written to when installing the warehouse, but after that why would we need to write to it?

/client_helpers
/modules/demo
Why do these need to be writable by the server?

As it stands, these are the directories I've set to be writable by the server:

/application/cache
/application/logs
/upload
/client_helpers/upload

Everything else is set read-only (for Apache).

So that leaves me with the following warnings:

Directory Access
The configuration directory at /var/www/warehouse.sxbrc.org.uk/indicia/application/config isn't writeable by PHP scripts. This means that the installation settings cannot be stored.

The configuration directory at /var/www/warehouse.sxbrc.org.uk/indicia/client_helpers isn't writeable by PHP scripts. This means that the settings for the data entry helper classes cannot be stored.

The demo directory at /var/www/warehouse.sxbrc.org.uk/indicia/modules/demo isn't writeable by PHP scripts. This means that the settings for the demo configuration classes cannot be stored.

Can I ignore these warning (or better yet, turn them off), or will the warehouse still need to write to these places in future?

Charles Roper
Digital Development Manager | Field Studies Council
http://www.field-studies-council.org | https://twitter.com/charlesroper | https://twitter.com/fsc_digital

charlesroper's Website