Folder Permissions After Install Must Be 755!

General Installation & Upgrade
1

Hi Guys,



In your installation guide, you say that the folder permissions of var, design and images must 777 when installing CS-Cart. After the installation you say that the files and folder must be changed as below:



chmod 644 config.local.php

chmod 644 design/.htaccess images/.htaccess

chmod 664 var/.htaccess var/themes_repository/.htaccess

chmod 644 design/index.php images/index.php

chmod 664 var/index.php var/themes_repository/index.php

see: [url=“CS-Cart Documentation — CS-Cart 4.15.x documentation”]CS-Cart Documentation — CS-Cart 4.15.x documentation



You don't say that all folders must be changed to 755. When leaving the folders to 777 you open the door for hackers!

2

And the .htaccess should be 444 if possible

3

See this bugtracker posting…

http://forum.cs-cart.com/tracker/issue-5176-421-installer-now-required-777-and-666-permissions-security-issue/



They should NOT be requiring 777/666 for installation, they should be checking that they can perform the operations the need to perform (I.e. create a new file, delete an existing file).



In addtion, they also have the Set GID bit set on some directories in the install archive. If the archive is extraced by root, those bits remain set which is also a big security issue.

4

Did you check if cs-cart works with the permissions below?



all files: 644

design, var, images folders: 755

.htaccess: 444



I am now creating a new shop with these setting to check it

5

There are two factors that come into play:

  1. The “mode” that PHP is running in. Most instances today run as “suPHP” which means they run as the user of the cpanel account. The other common mode is “DSO” which runs as owner Apache and group nobody.
  2. The ownerships (owner and group) of the files must be correct based on the hosting environment.



    If a site is setup correctly you can run in 750/640 permissions without problem.



    This new enforced requirement of cs-cart installation only makes properly setup sites become less secure to achieve a lowest common denominator. They can solve both problems by just checking the ability to create/modify/delete files during the installation check versus looking at the permissions themselves. It is a lazy solution to a support problem. Note that the archive itself doesn't even have the required permissions set.



    It's just like changing the admin name. It should be a setup step so it's done automatically versus having the customer have to change filenames and adjust config files…