Jump to content

Locking The Configuration File


flyzone

Recommended Posts

Hello there, 

I just moved from OpenX 2.8.10 to Revive 3.0.2

The process was smooth and all seems to work just fine except for locking down the conf.php file.

 

With the FTP i changed 

/var/www.myserver.com.conf.php from 777 to 644

but when i log into the Revive back-end from the browser and i go into the admin area and modify the settings the system is reporting that the conf file is not locked and I should do so in order to secure it.

 

I can modify each settings no problem.

 

I modify the file permission several time just to see if it makes any difference but the system is still reporting the file as unlocked.

 

Any suggestion?

 

thanks

A.

Link to comment
Share on other sites

With the FTP i changed 

/var/www.myserver.com.conf.php from 777 to 644

 

 

 

sometimes due to cache settings  ,  file permission may not be changed .

 

Now /var/www.myserver.com.conf.php is 644 ?

Link to comment
Share on other sites

Still, this doesn't explain why it used to work with 644 in the past, and not now.

 

If the old file had a different owner it would make sense. The owner of the file now must be the same user as the user that runs the webserver.

 

If it is a multiuser system you should also change the permission of the file to 440 or even 400 so that not everyone with access to the server can read the configuration file with the DB password inside.

Link to comment
Share on other sites

  • 4 months later...

The conditional test in the isConfigWritable() method that checks the config file permissions in 3.0.4 uses is_writable(), which only checks whether PHP can write to the file or not. I don't know if the method has been rewritten in some recent update, but it would probably need to be modified to use fileperms() and specifically test for 644 if that's what the intent is. When the perms are set to 444, even the admin user cannot make changes to the configurations in the admin interface without first resetting the perms.

 

It should be noted that this official thread indicates that a secure installation's config file should be 444:

http://forum.revive-adserver.com/topic/112-securing-revive/?hl=%2Bconfiguration+%2Bfile

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...