Directory Permissions

[Woodymon]

Permissions on folders should not be higher than 755.

Vger

Correct.

As stated in /docs/important_site_security_recommendations.html in the Zen Cart distribution and also at https://www.zen-cart.com/tutorials/index.php?article=73).

9. Protect your "images" and other folders

During initial installation, you are advised to set your images folder to read/write, so that you can use the Admin interface to upload product/category images without having to use FTP for each one. Similar recommendations are made to other files for various reasons.

However, leaving the images (or any other) folder in read/write mode means that hackers might be able to put malicious files in this (or other) folder(s) and thus create access points from which to attempt nasty exploits.

Thus, once your site is built and your images have been created/loaded, you should drop the security down from read/write to read. ie: change from CHMOD 777 down to 644.

File/Folder permissions settings

On Linux/Unix hosts, generally, permission-setting recommendations for basic security are:

* folders/directories: 755
* files: 644

On Windows hosts, setting files read-only is usually sufficient. Should double-check that the Internet Guest Account has limited (read-only) access.

However FAQ Article at https://www.zen-cart.com/tutorials/index.php?article=9
currently says:

Change the permissions to the needed setting for the following folders to 777:
(If prompted whether to include files/folders underneath them (also called "recursive"), say or check "Yes")

/cache
/pub
/images
/includes/languages/english/html_includes
/admin/backups
/admin/images/graphs

This last doc probably should be edited to clarify directory vs. file permissions settings and updated with info in regards to securing permissions after installation.

-Woody

[DrByte]

"This last doc probably should be edited to clarify directory vs. file permissions settings and updated with info in regards to securing permissions after installation.

-Woody"

The FAQ #9 has been updated.

[Woodymon]

The FAQ #9 has been updated.

Good show Dr. Byte,

While were on the subject regards to directory permission settings, what are the implications of chmod 755 the following directories:

/cache
/pub

Will Zen Cart functionality be negatively impacted?

Regarding making instant downloads available, what to be expect?

And willnegative impact occur when applying same permissions to /bmz_cache (ImageHandler 2).

Sorry for hijacking this thread. Please move if needed.

Woody

[DrByte]

While were on the subject regards to directory permission settings, what are the implications of chmod 755 the following directories:

/cache
/pub

Will Zen Cart functionality be negatively impacted?

Regarding making instant downloads available, what to be expect?

You may want to note that explaining this information here is like giving away ideas to hackers. But, since you asked ... here goes ...

The cache folder is used to cache data needed by the server to help speed up frequently-used SQL queries and login-session data. It MUST be writable.
However, for those with advanced understanding about how to move folders outside the "webroot" this folder can be safely relocated to be of less risk to the hackers who only understand or desire to play around in public_html etc. Moving it also makes one less point of possible entry for hackers to play with.

The pub folder is used for serving downloads via redirect. If it's not writable then your downloads will not work in "by redirect" mode. If you choose to turn off "redirect" mode then your customers will be provided with EXACT path download information to grab a copy of your precious electronic products in the downloads folder, meaning they can share the URL with all their friends and stop buying products from your store.

As you can see, there are specific intentional functional reasons for these folders to be writable.

And willnegative impact occur when applying same permissions to /bmz_cache (ImageHandler 2).

Same issue. Your server will not be able to store or cache any images via the IH2 toolset. It can read them, but not save any updates or optimize any existing items in its cache.