Hi,
Cool. Thanx for the answer. I'm convinced either.
So I will change the request in bug entry:
https://bugs.oxid-esales.com/view.php?id=1998
...to display proper error message in case if file rights missmatch, and
check will be left as mandatory (Red).
Best regards,
Dainius Bigelis
----- Original Message -----
From: "Marco Steinhaeuser" <[email protected]>
To: <[email protected]>
Sent: Wednesday, August 04, 2010 5:44 PM
Subject: Re: [oxid-dev-general] System requirements for file rights
shouldbemandatory?
Hi everybody,
imagine John Doe has downloaded OXID eShop as a zip file. John unpacks it to
his Windows OS and uploads it using a regular FTP client. John Doe of course
has no idea of SSH, wget, unzip or svn checkout.
I am talking about a regularily and well-configured Debian(ish) system on
the server now. Of course, there might be differences on other OSses. On the
server, the files are usually saved with chmod 0644 and the user group
FTP-user, right? Now, the installation routine which is run in user group
www-data is trying to write to the config.inc.php file and fails because it
has no permission to do so. On "restrictive" systems like Debian, it is not
even possible to change this permission with a PHP routine.
The proper way now would be to $ chown www-data config.inc.php and back to
FTP-user after the installation BUT you cannot do so when you don't have SSH
;)
That's why there is a workaround to check if config.inc.php is writable
before installation. If not - permissions have to be set manually to 0777
and back to 0644 again after finishing the installation.
I don't see the need to check all files for their permission. Everybody is
free to even set it to 0777 for the complete system - it is just own risk,
isn't it?
Why "red"?
If John now opens up the installation routine, he would not even recognize
"yellow". He would immediately stumble through the rest of the installation
and will definately fail in the last step. Failing again and again, he will
either ditch the installation or - best case - request in the forums.
Of course, the error message "... doesn't fit the system requirements ..."
is not correct in that manner but man, I can really live with it under the
above named circumstances.
Let me sum:
We knowingly decided for this workaround and the red button to
- decrease barriers of entry for new users and thus enlarge the community
- avoid from redundant support requests.
BTW: Before that decision I checked it in several other similar systems like
OSC, zencart, joomla, phproject etc. and found out that they use exactly
this workaround. Obviously best practice :-)
Due to the above named, I don't really see a reason to change that
behaviour. Maybe we can change the error message for the file permission
check one day...
Do you see my point? ACK?
Regards
Marco
-----Ursprüngliche Nachricht-----
Von: [email protected]
[mailto:[email protected]] Im Auftrag von Aurimas
Urbonas
Gesendet: Dienstag, 3. August 2010 21:27
An: [email protected]
Betreff: Re: [oxid-dev-general] System requirements for file rights shouldbe
mandatory?
Hi,
what is exactly not secure when config.inc.php is writable by the server. Is
everything more secure if config.inc.php is readonly but core/oxconfig.php
is writable by the server?..
Best regards,
Aurimas
On Tue, Aug 3, 2010 at 3:32 PM, Michael Zender <
[email protected]> wrote:
Hi,
I also think that wrong file permissions should be marked as un-met
system requirements (at least not if the shop works with these 'wrong'
settings).
Giving a hint on the potential security risk would be more appropriate
in my opinion.
Best regards,
Dipl.-Ing. (FH) Michael Zender
Development eCommerce
Technical Project Lead
MOS-TANGRAM AG
Wohlerstrasse 2
CH-5623 Boswil
Phone: +41 (0)56 677 82 20
Fax: +41 (0)56 677 82 99
E-Mail: [email protected]
Internet: http://www.mos-tangram.com
_______________________________________________
dev-general mailing list
[email protected]
http://dir.gmane.org/gmane.comp.php.oxid.general
_______________________________________________
dev-general mailing list
[email protected]
http://dir.gmane.org/gmane.comp.php.oxid.general
_______________________________________________
dev-general mailing list
[email protected]
http://dir.gmane.org/gmane.comp.php.oxid.general
_______________________________________________
dev-general mailing list
[email protected]
http://dir.gmane.org/gmane.comp.php.oxid.general
