Hi everybody,
imagine John Doe has downloaded OXID eShop as a zip file. John unpacks it to his Windows OS and uploads it using a regular FTP client. John Doe of course has no idea of SSH, wget, unzip or svn checkout. I am talking about a regularily and well-configured Debian(ish) system on the server now. Of course, there might be differences on other OSses. On the server, the files are usually saved with chmod 0644 and the user group FTP-user, right? Now, the installation routine which is run in user group www-data is trying to write to the config.inc.php file and fails because it has no permission to do so. On "restrictive" systems like Debian, it is not even possible to change this permission with a PHP routine. The proper way now would be to $ chown www-data config.inc.php and back to FTP-user after the installation BUT you cannot do so when you don't have SSH ;) That's why there is a workaround to check if config.inc.php is writable before installation. If not - permissions have to be set manually to 0777 and back to 0644 again after finishing the installation. I don't see the need to check all files for their permission. Everybody is free to even set it to 0777 for the complete system - it is just own risk, isn't it? Why "red"? If John now opens up the installation routine, he would not even recognize "yellow". He would immediately stumble through the rest of the installation and will definately fail in the last step. Failing again and again, he will either ditch the installation or - best case - request in the forums. Of course, the error message "... doesn't fit the system requirements ..." is not correct in that manner but man, I can really live with it under the above named circumstances. Let me sum: We knowingly decided for this workaround and the red button to - decrease barriers of entry for new users and thus enlarge the community - avoid from redundant support requests. BTW: Before that decision I checked it in several other similar systems like OSC, zencart, joomla, phproject etc. and found out that they use exactly this workaround. Obviously best practice :-) Due to the above named, I don't really see a reason to change that behaviour. Maybe we can change the error message for the file permission check one day... Do you see my point? ACK? Regards Marco -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Aurimas Urbonas Gesendet: Dienstag, 3. August 2010 21:27 An: [email protected] Betreff: Re: [oxid-dev-general] System requirements for file rights shouldbe mandatory? Hi, what is exactly not secure when config.inc.php is writable by the server. Is everything more secure if config.inc.php is readonly but core/oxconfig.php is writable by the server?.. Best regards, Aurimas On Tue, Aug 3, 2010 at 3:32 PM, Michael Zender < [email protected]> wrote: > Hi, > > I also think that wrong file permissions should be marked as un-met > system requirements (at least not if the shop works with these 'wrong' > settings). > Giving a hint on the potential security risk would be more appropriate > in my opinion. > > Best regards, > > Dipl.-Ing. (FH) Michael Zender > Development eCommerce > Technical Project Lead > > MOS-TANGRAM AG > Wohlerstrasse 2 > CH-5623 Boswil > Phone: +41 (0)56 677 82 20 > Fax: +41 (0)56 677 82 99 > E-Mail: [email protected] > Internet: http://www.mos-tangram.com > _______________________________________________ > dev-general mailing list > [email protected] > http://dir.gmane.org/gmane.comp.php.oxid.general > _______________________________________________ dev-general mailing list [email protected] http://dir.gmane.org/gmane.comp.php.oxid.general _______________________________________________ dev-general mailing list [email protected] http://dir.gmane.org/gmane.comp.php.oxid.general
