Hi all,
After having my old 2.x site hacked I have upgraded to 3.0.1 and started over.
I'm going through now & wanting to make sure I don't get any problems this time around so want to get the permissions & security setup right.
By default pretty much all of the directories seem to be set to 755, but the Security Directory Permissions tool in my admin panel seems to think they are all writable? The problem I am having when I try to change any permissions is that I am then locked out of my admin panel.
I've read through some of the posts on here suggesting that all files should be set to 644 etc, but as soon as I do that I can't access my admin panel.
Hopefully someone can offer some advice please.
Thanks
Jon
Latest News: (loading..)
0
10 replies to this topic
#2
Posted 19 April 2011, 11:01
jonhomer, on 19 April 2011, 09:39, said:
After having my old 2.x site hacked I have upgraded to 3.0.1 and started over.
3 is not suitable for use on any live shop, unless the shop owner is a hardcore php developer.
2.3.1 is where you should be for now.
HPDL; v3.0 does not contain a full user feature set to be able to run an online store on
Sparky; anyone that jumps into something which isn't even proven is asking for trouble [...] we will learn a lot before I would use it for "end users", I'm hoping the community will help shape what it becomes
A question to you, now that you are on 3. Have you tried adding a new category to your shop?
The Dirty Little Secrets that no osCommerce template sellers want you to know...revealed...
Support is commercially available. The question is whether you value your business
highly enough to spend money on it.
For commercial support from known developers who support osCommerce
ethos, please post at http://forums.oscommerce.com/forum/79-commercial-support/
Support is commercially available. The question is whether you value your business
highly enough to spend money on it.
For commercial support from known developers who support osCommerce
ethos, please post at http://forums.oscommerce.com/forum/79-commercial-support/
#3
Posted 19 April 2011, 11:18
jonhomer, on 19 April 2011, 09:39, said:
I'm going through now & wanting to make sure I don't get any problems this time around so want to get the permissions & security setup right.
By default pretty much all of the directories seem to be set to 755, but the Security Directory Permissions tool in my admin panel seems to think they are all writable? The problem I am having when I try to change any permissions is that I am then locked out of my admin panel.
I've read through some of the posts on here suggesting that all files should be set to 644 etc, but as soon as I do that I can't access my admin panel.
Hopefully someone can offer some advice please.
Thanks
Jon
By default pretty much all of the directories seem to be set to 755, but the Security Directory Permissions tool in my admin panel seems to think they are all writable? The problem I am having when I try to change any permissions is that I am then locked out of my admin panel.
I've read through some of the posts on here suggesting that all files should be set to 644 etc, but as soon as I do that I can't access my admin panel.
Hopefully someone can offer some advice please.
Thanks
Jon
The problem is that there essentially are two methods used by webhosts to configure webservers. Most scripts like Oscommerce cater to the standard method where directory permissions of 755 are read only, and file permissions of 644 are also read only. However there is another major method that webhost companies are using to configure their servers in which 755 is writable for directories and 644 is writable.
Read more here
http://forums.oscommerce.com/topic/373047-a-chat-about-file-permissions/
In the second method of configuration, permissions are less of an issue, but you run in to problems when a script demands a file be read only when some hosts disallow that setting. The problem is that most developers are not overly familiar with this type of configuration and do not realise that file permissions are not the same security protection as they are with the first method.
Yes you can make a file read only by changing its permissions to 444, but PHP which has owner permissions, can change the permissions back to writable.
The thing to understand with method two is that permissions are no longer the way a virtual webhost is secured against attacks.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
#5
Posted 19 April 2011, 12:17
OK, so just to confuse the issue the moderator has deleted my corrected post & moved the original post into this forum.
So if I may start again.
The Security Directory Permissions tool in my admin panel is showing that all of my directories are writable. I've checked & they are all set to 755 except the 2 configure.php files. If I then try to change any of those permissions I get locked out of the relevant directory.
Do I need to worry about what the security toll is telling me or is 755 an acceptable & safe setting to use across the board?
My apologies for the convoluted way of getting to the point.
Jon
So if I may start again.
The Security Directory Permissions tool in my admin panel is showing that all of my directories are writable. I've checked & they are all set to 755 except the 2 configure.php files. If I then try to change any of those permissions I get locked out of the relevant directory.
Do I need to worry about what the security toll is telling me or is 755 an acceptable & safe setting to use across the board?
My apologies for the convoluted way of getting to the point.
Jon
#6
Posted 19 April 2011, 17:32
755 for directories 644 for files except the configure.php files which should be 444 or 400 (if they work on 400)
Files rarely work if they are not readable directories rarely allow files to be read if they (the folder) are not executable
There is no documentation for the Security Directory Permissions tool so who knows what it is supposed to be telling you
Files rarely work if they are not readable directories rarely allow files to be read if they (the folder) are not executable
There is no documentation for the Security Directory Permissions tool so who knows what it is supposed to be telling you
Currently...:
Working with osCommerce 2.3.1
Add-Ons so far Installed:
Add date and order number to invoice and packing slip,
Products Cycle Slideshow,
Detailed Monthly Sales,
Holiday Settings,
Tracking Module for 2.3
Working with osCommerce 2.3.1
Add-Ons so far Installed:
Add date and order number to invoice and packing slip,
Products Cycle Slideshow,
Detailed Monthly Sales,
Holiday Settings,
Tracking Module for 2.3
#8
Posted 30 January 2012, 06:39
Hi , I'm new to Oscommerce , i don't know whether this is right area to post my problem r not.....
Initial i developed my oscommerce site on my localhost which works fine ,but whn i moved project to my office staging server(122.183.93.234)
what r the changes to be made in admin/include/configure.php file......
Quick reply will be appreciated........
Thanks
Initial i developed my oscommerce site on my localhost which works fine ,but whn i moved project to my office staging server(122.183.93.234)
what r the changes to be made in admin/include/configure.php file......
Quick reply will be appreciated........
Thanks
#9
-
- Community Sponsor
-
- 10,464 posts
- Real Name:Chris Dunn
- Gender:Male
- Location:Tecumseh, Ontario, Canada N8N 1X8
Posted 30 January 2012, 06:49
@kranthi,
You will need to set the actual path. The actual path depends on your server configuration and could be something like this:
/home/content/sitename/public_html/
You will need to set the actual paths in both the /includes/configure.php and the /admin/includes/configure.php files.
Chris
You will need to set the actual path. The actual path depends on your server configuration and could be something like this:
/home/content/sitename/public_html/
You will need to set the actual paths in both the /includes/configure.php and the /admin/includes/configure.php files.
Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:
:|: Click Here to learn how I can help you with custom coding, add ons, security and templates :|:
:|: Need an Area Calculator, Pre-Paid Account, Virtual Pin, Auction or Layaway Add on ? Click Here :|:
:|: Click Here to learn how I can help you with custom coding, add ons, security and templates :|:
:|: Need an Area Calculator, Pre-Paid Account, Virtual Pin, Auction or Layaway Add on ? Click Here :|:
