configure.php permissions changing

[JohnBoyCR]

I am experiencing something strange. Ever since our site was
installed I had the configure.php permissions set to 644.
Everything worked fine. No warning messages that the permissions
needed to be changed. However, the web hosting service
recently made several changes to the PHP configuration and
I started getting a warning message that the configure file
permissions needed to be set to 644 or 444. So, I changed the
permissions to 444. The warning went away. GREAT!
HOWEVER, the next day the warning message was back and when
I looked at the file permissions they were back to 644. How can
that happen? We are being hosted on a Linus server. The PHP
version is 5.2.11. We are running Zen Cart 1.3.8a . The site
owner does not want to upgrade to 1.3.9 at this time.

Is there anything in the Zen Cart code that could be changing the
permissions back to 644 ?

[kuroi]

More likely your web host is running a job that ensures that files don't have permissions that are too wide. If so they will be trying to reduce the permissions on files from (say) 666 to 644, but in your case it's having the opposite effect.

[Website Rob]

There is nothing in Zen Cart code to automatically increase file permissions, however, it is possible your Hoster runs a daily script to automatically check and change file permissions. Explain your situation to your Hoster and they should be able to give you guidance on this.

[JohnBoyCR]

Thanks for the quick replies. I will contact the hosting service
and see what I can do.

However, another question came to mind. Since the
permissions on the configure.php file are set to 644, why am I
now getting the warning message. Could this have something to
do with the security changes made on the server? It really
puzzles me. HMMM!

Again, thanks for the responses.

[JohnBoyCR]

Well, I have one answer to my questions. Yes, the hosting service
runs a cronjob that changes permissions to 644, but it does not
currently take into account permissions that might already be lower.
So that is why the permissions of 444 are being changed to 644.

However, I still do not know why the permission of 644 is causing
me to get a warning message as that permission level is supposed
to be acceptable.

I looked at the code involved, in the init_includes, and the
configure.php file is being tested with the PHP function
"is_writeable()" . In the past, this function apparently returned
"FALSE" for a permission setting of 644 but now is returning TRUE.
This kind of makes sense as the file is writeable by the OWNER.
What I don't understand is why this is only now being seen as
a problem. I know that the hosting service made a number of
changes to the PHP code in order to enhance security so I
suppose that one or more of those changes is now impacting the
response that the "is_writeable()" function returns.

As long as the hosting service can get their cronjob functioning
properly I guess I won't worry too much about it.

Thanks to anybody taking their time to read my ramblings! LOL!

John

[DrByte]

Correct. Since the file is writable by the owner, and PHP is running in a mode that accesses the files AS the owner, PHP is seeing the file as being writable ... which means any PHP script could write to that file, hence the warning.

[JohnBoyCR]

Thanks for the reply. I understand that perfectly. I guess I just
don't know why, for the last two years with the permissions set to
644, I never got the warning message. Oh well. That's why I am
still just en egg ! LOL!

So, here is another dumb question:

If permissions of 644 are okay, as per the Zen Cart installation
procedures, would it make any sense to modify the init_header.php
file so that instead of using the is_writeable() function one could use
the fileperms() function to see if the file permissions were either
644 or 444 ?

Thanks for your help.

[DrByte]

No. Zen Cart doesn't dictate whether the permission should be at 644 or at 444 or at 400 or whatever. That's determined by YOUR individual webserver configuration.

That's why the warning is given and generically tells you to "try" maybe using 644 or 444. The SPECIFIC correct solution for YOUR hosting server is determined by how YOUR hosting company has configured THAT server.

[JohnBoyCR]

Dr Byte,

Thanks for that info. Now I have a better understanding of why the
message just started appearing. The hosting service recently
made changes to increase security on their servers.

Thanks for the feedback.

JohnBoyCr

[Website Rob]

You could ask your Hoster to set your config files permissions to immutable; meaning unchangeable. You will have to make note of it though as you will need them to change it back at some point in the future (if you ever want to edit those files, for example).