OK to have all .php files with 755 permissions?

[zcnb]

As they come "out of the box", all .php files (under /includes/modules, for example) have permissions of 755.

I know about the requirement of changing the two configure.php files ASAP to 444 or 644 -- done already .

But what about all the others? Is this OK (from security standpoint) to leave them at 755?

If not, they why do they default to 755?

[stevesh]

Other than the configure.php files, I leave all file and folder permissions as they are during installation, and haven't had a problem.

[zcnb]

Thanks for your quick answer. I am in the process of applying some of the post v1.3.8a bugfixes and when I upload the corrected files, I notice that they have 644. That's how I noticed that all other files have 755 while the ones that I upload manually have 644. I was just wondering whether this has any significance at all.

[Website Rob]

For all kinds of reasons I would say it is a problem.

Directories with 755 is a good thing.
Files with 644 is a good thing.

Files with 755 permissions should be in a protected directory, such as the 'cgi-bin' for example.

Best to use your FTP program to upload the files which will change permissions, to the correct ones used by the Server your Hosting account is on.

Just a guess, did you use Fantastico to install Zen Cart?

[zcnb]

Thank you Rob. I think that your guess was right on the money: I didn't install Zen Cart myself but it was rather installed by my web host's tech support. It's likely that they used Fantastico because this is one of the tools they offer.

What you say about "Files with 755 permission" makes sense. My question really was whether [FONT="Courier New"]/includes/modules[/FONT] is considered a protected directory?

[Website Rob]

/includes/modules is not a protected dir. by default.

You can secure manually with an .htaccess file but not sure if will cause other problems.

<Files *.php>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>

My point is/was that no PHP files need to have 755 permissions and on some Servers, running suPHP for example, it will cause problems and/or the files will just not work, period.

Script installers of many kinds; Fantastico, Joomla, Mambo for example, use the Shotgun method and apply a "one size fits all" method of installing. They create files with 755 permissions including images for some unknown reason, and sometimes create directories & files with Ownership of 'nobody'. This is a big reason why, so many sites get hacked.

[zcnb]

Once again, thank you so much Rob for this clarification. Before I go ahead and perform a sweeping:

Code:

chmod -R 644 * ~/public_html/store/*

Is there any file in the Zen Cart system that should not be 644?

[DrByte]

Files are generally 644 and folders are 755. That's for normal operation.

Certain files to be marked read-only are often set to 444 or in some cases 400.

If certain files need to be set read-write, the common setting is 777, but in the case of certain server configuations such as suphp it's often 755 for those specific files.


FAQ on standard settings for ZC sites: https://www.zen-cart.com/tutorials/index.php?article=9

[Website Rob]

Once again, thank you so much Rob for this clarification. Before I go ahead and perform a sweeping:

Code:

chmod -R 644 * ~/public_html/store/*

Is there any file in the Zen Cart system that should not be 644?

If you run the command as you've shown you will have a big mess.

This would be better:
cd /public_html/store/
chmod -R 644 ./*.php

DrByte, I would have to disagree with your statement on some/any PHP files needing 755 permissions, but then I don't work with as many different OSs as you do.

With Linux and running any version of 'suexe' for PHP, such as suPHP, permissions of 644 is good enough for allowing the account Owner to write. This also includes scripts used/owned by the account Owner.

[DrByte]

DrByte, I would have to disagree with your statement on some/any PHP files needing 755 permissions, but then I don't work with as many different OSs as you do.

With Linux and running any version of 'suexe' for PHP, such as suPHP, permissions of 644 is good enough for allowing the account Owner to write. This also includes scripts used/owned by the account Owner.

With proper implementations of suEXE/suPHP, I'd agree with you.

What would be even better is a standard server configuration which everyone could expect to be easy to use, configure, and still be secure. Alas, we can't have everything now can we?