No announcement yet.

File permissions after installation

  • Filter
  • Time
  • Show
Clear All
new posts

  • File permissions after installation

    Should you have to modify file permissions post installation to protect sensative files such as config.php?

    After extracting.. everything is 755.. including includes/config.php which includes sensative information like the db user/pass

    I'm not a php guy.. but having the config file readable by all doesn't seem right to me.

    File permissions are not covered at all in the installation instructions.

  • #2
    Generally you do not have to change file permissions. The config.php file must be world-readable otherwise your forums won't work.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography

    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    • #3
      Do not set permissions on your config to 666 or 777 like other boards require. vBulletin requires no changes after uploading the config file (because you make all the changes needed in it before you upload it). Just leave it as 644 permission which like Steve said above is "world readable" by default after you've upload it.


      • #4
        its not 644 by default.. its actually 755 which is a problem for users on the webserver itself.

        read-exec by all, rwx by owner.

        Here is the config.php file as from the upload directory. This is from the zip file, extracted on the linux machine itself using 'unzip'. Of course the file is renamed from .new

        [[email protected] includes]$ ls -l config.php
        -rwxr-xr-x 1 skapinos skapinos 4915 Aug 22 22:04 config.php

        That means anyone on the server could read the file.. including the passwords.


        • #5
          Sounds like a server config issue, my config file by default is 644.


          • #6
            Originally posted by Zachery
            Sounds like a server config issue, my config file by default is 644.
            Ok, but 644 is still world readable!

            4 = read

            Meaning.. anyone on the shell box can read your passwords.. not very secure


            • #7
              And? 99% of the time apache is running as nobody in most enviroments, so if everyone can't read your config files its going to be a problem.

              To be honest, this problem exsists within every software, and has since vB1. It has never been a cirtial issue as it requires direct access to the server in some way.


              • #8
                I've used many different forum packages though, phpbb, invision, nuke, mybb and the list goes on. The good thing about vbulletin is at least you are not required to have any folders as 777 or 666, in most cases 755 will do. Unless you use features like being able to upload smilies from the admin cp to the server. Which you don't have to use. Just FTP them instead then add them to avoid using 777 on directories. That's what I like about vBulletin. CHMod wise it's the best of the bunch, and when you download your board for backup. After retoring there is no need to go through the hassle of then having to chmod files etc before you can run it, plus the default chmod values makes vbulltin the most secure board I've ever used personally.


                • #9
                  Hmmm I tried using the 755 chmod for my files and when you try to post a file in the forum it does not work, i has to be 777.

                  I have this under forum: forum/files where I store all the files (not in the database).

                  Like I say, the only way for me to be able to make this work is 777.

                  This is not safe no?


                  Related Topics