OK to have all .php files with 755 permissions?

[zcnb]

Thank you all for your helpful replies. Here is what I discovered so far.:

FAQ on standard settings for ZC sites: https://www.zen-cart.com/tutorials/index.php?article=9

I find this FAQ to be very helpful as security tightening checklist. However, while it calls for the following directories to have world-readable permissions (777):

./cache
./pub
./images
./includes/languages/english/html_includes
./admin/backups
./admin/images/graphs

I discovered that in my web host's (shared) account they are all set to 755 - and Zen Cart works perfectly. My web host is using suPHP (note that this is neither SUEXEC nor PHPSUEXEC but rather a 3rd variant).

Does that mean the FAQ needs to be corrected?

If you run the command as you've shown you will have a big mess.

You are right, of course. It was simply a typo. What I intend to run is the following (in this exact sequence):

Code:

cd ~/public_html/<catalog>
find . -type d -exec chmod -R 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 444 ./includes/configure.php
chmod 444 ./admin/includes/configure.php

Do you notice any problem with the above?

[Website Rob]

I find this FAQ to be very helpful as security tightening checklist. However, while it calls for the following directories to have world-readable permissions (777):

./cache
./pub
./images
./includes/languages/english/html_includes
./admin/backups
./admin/images/graphs

I discovered that in my web host's (shared) account they are all set to 755 - and Zen Cart works perfectly. My web host is using suPHP (note that this is neither SUEXEC nor PHPSUEXEC but rather a 3rd variant).

Does that mean the FAQ needs to be corrected?

I would say 'updated' as opposed to 'corrected'. The statement/FAQ was probably written at time when using any varient of 'suexe' for PHP was not as popular as it is now. It wasn't too long ago when running PHP as an Apache module was the norm. This also goes back to what I stated in Post #6 of this thread; regarding wide open permission and making hacking so easy. This is part of the reasoning behind running PHP as CGI. It is much more secure and a lot less hacking going on.

The problem though, with updating the FAQ you mentioned, is trying to explain to non-technical people how to figure out if PHP is run as CGI. I can only presume it will happen at some point.

What I intend to run is the following (in this exact sequence):

cd ~/public_html/<catalog>
find . -type d -exec chmod -R 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 444 ./includes/configure.php
chmod 444 ./admin/includes/configure.php

Do you notice any problem with the above?

As 'find' is recursive by nature, you do not need the -R switch.


Also, due to the sweeping nature of the 'find' command, many find using the full path helps to prevent errors.

Note; run these commands one at a time and wait till finished.

find /home/userID/public_html/zencartDir/ -type d -exec chmod 0755
find /home/userID/public_html/zencartDir/ -type f -exec chmod 0644
chmod 0444 /home/userID/public_html/zencartDir/includes/configure.php
chmod 0444 /home/userID/public_html/zencartDir/admin/includes/configure.php

It does make it easy as well when using the 'history' command and also saves having to jump all over the place from using using the 'cd' command -- at least from a Server Admin POV.

[chuck]

Some days I hate the differences between so many possible server configurations!

Although, I do admit I've been much happier on suPHP since there's fewer permissions settings to change. And I'm told its less vulnerable to hacking. So, it's all good.

[pixelpadre]

I went in and changed all my permissions according to FAQ and now the site is down and attempting to change permissions using webshell3 or filezilla is to no avail.

I cant get my site back. Help.

[stevesh]

What error messages are you seeing?

[Website Rob]

I went in and changed all my permissions according to FAQ and now the site is down and attempting to change permissions using webshell3 or filezilla is to no avail.

I cant get my site back. Help.

Two questions;
- what is the URL to the FAQ you went by
- what prompted you to suddenly change all permissions

Answers to the above will help in providing information we can use to help you.

[pixelpadre]

A. FAQ is at the top of this page.

A. Wanted to make my site as secure as possible.

[DrByte]

... now the site is down

Um, what exactly do you mean by "down"?

Are you getting blank screens?
Error messages?

Surely there's more to the symptoms than just a vague "my site is down"?
It's really hard to help when you give nothing to go on ...

[pixelpadre]

Well, my symptom was a blank white page. Since then I went with the magic of Ultraedit and batch deleted much of the inserted text at the bottom of every file. I still have files with a different string to remove but ultraedit cannot not do it because the text to be removed includes ascii strings which fakes the software into saying we find no occurances. All of my images have been infected as well....chmod 777 images directory?

My mistake seems to be assigning 777 to the directories as advised in the FAQ for zen folder permissions.

This nasty infection went clear through my root directory, infecting every website I own.

[DrByte]

It might be even more thorough to use a clean set of backup files, rather than mass-editing files to only remove obvious damage. What happens if you miss something they didn't do using the same pattern?
If someone is doing malicious activity when you've got certain folders set to 777 permissions, then the server itself is at risk, not just your site. You can certainly override the 777 with something lower such as 755, but you'll lose the ability to upload images or edit define pages via your admin. And customers won't be able to upload files with their orders (if you're using that feature).

FAQ on Recovering from Hack Attempts: http://www.zen-cart.com/wiki/index.p...ing_From_Hacks