Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How to prevent config.php from changing owners?

On my host (nearlyfreespeech.net), CGI and PHP can create files that aren't accessible by me. When I first uploaded config.php, I was the file's owner and the conf directory's owner, but at some point while setting Vanilla up, config.php became owned by the Apache user, and I can no longer edit/delete/chown it.

How do I force Vanilla to chown files to whoever owns the directory they're in, or at least stop it from messing with config.php? Can anyone point me to where in the code this is happening?

Advice from my host:

As a security precaution, CGI and PHP scripts run with different user credentials than you do when you edit your files. Although the CGI/PHP user has significantly fewer privileges overall, it is possible to create a situation where an application creates files or directories that you do not have permission to access or remove via FTP or ssh. This typically happens if an application's umask is set incorrectly; the resulting files or directories will be owned by the "web" user and will not be group or world writable. (Correct umasks are 0 or 002, depending on the expected group ownership. A umask of 0 should work for most web applications, and does not compromise security on our system the way it does on some shared hosts.)

Comments

  • x00x00 MVP
    edited November 2013

    naturally if config.php is written to it will come under the web user or or the suPHP user.

    You should not rely on any application chowning or chomoding anything. My argument the file management is not the domain of web applications at all, certainly not trough CGI script alone.

    Of course it is in there, becuase of the history of web development, dictating these mal practices. It mainly is the fault of cheap web hosts.

    If you have ssh you should be able to connect as root anyway.

    grep is your friend.

  • The issue with Nearlyfreespeech is not that they are cheap, but that they are security crazy and a bit of a DIY cult. They go out of their way to set things up a particular way and think everyone else is lazy and reckless for not implementing code the right way. God love 'em, those crazy guys.

    So no, I don't have root access, I have to file a support request to get config.php back under my account. I'm not sure why this hasn't been a problem with WordPress or phpBB but this is the first time I've encountered it.

  • hgtonighthgtonight ∞ · New Moderator

    Welcome to the community!

    The config file is rewritten every time there is a configuration change via Vanilla software.

    Since the software is writing the file, it owns it. There is no way around this, as far as I can tell.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • it is good that they are security crazy, however such a limitation could lead some people to some not so good security practice.

    The application itself does not set umask. It only a small number of folders which have to bunder the web user. In fact in conf folder. only config.php need to be written to.

    Given that each application is different as is setup, then really you would need to be be assign user and group for that application and setup.

    grep is your friend.

  • @hgtonight said:
    Welcome to the community!

    The config file is rewritten every time there is a configuration change via Vanilla software.

    Since the software is writing the file, it owns it. There is no way around this, as far as I can tell.

    Well actually it I possible to assign different user and group. My deduction it is not just happening becuase of the user but becuase of the default permissions/

    It might be do to the errant craze of chmoding everything to 777 or generally setting permission way higher than they need to be. Not only does this put them at risk, it can sometime have the opposite effect where the the file or folder is set the minimum permissions depending on the settings.

    Application shouldn't chmod at all but they try to, if they can't get they way. this can have the opposite effect.

    Lastly becuase if it can be written to by the web user technically you have control through scripting. Not ideal of course.

    grep is your friend.

  • x00x00 MVP
    edited November 2013

    As a security precaution, CGI and PHP scripts run with different user credentials than you do when you edit your files

    This is nothing unusual. In fact it would be pretty poor if they didn't do this.

    what is the actual permission of the file after it written to by the web user?

    grep is your friend.

Sign In or Register to comment.