Jump to content
Sign in to follow this  
flyzone

Locking The Configuration File

Recommended Posts

Hello there, 

I just moved from OpenX 2.8.10 to Revive 3.0.2

The process was smooth and all seems to work just fine except for locking down the conf.php file.

 

With the FTP i changed 

/var/www.myserver.com.conf.php from 777 to 644

but when i log into the Revive back-end from the browser and i go into the admin area and modify the settings the system is reporting that the conf file is not locked and I should do so in order to secure it.

 

I can modify each settings no problem.

 

I modify the file permission several time just to see if it makes any difference but the system is still reporting the file as unlocked.

 

Any suggestion?

 

thanks

A.

Share this post


Link to post
Share on other sites

When you changed the permissions of your config file in earlier versions, so before you upgraded to Revive Adserver, did you also see that the config file was still being reported as unlocked? If so, I suggest you contact your sysadmin or hosting provider and discuss with them.

Share this post


Link to post
Share on other sites
Guest

With the FTP i changed 

/var/www.myserver.com.conf.php from 777 to 644

 

 

 

sometimes due to cache settings  ,  file permission may not be changed .

 

Now /var/www.myserver.com.conf.php is 644 ?

Share this post


Link to post
Share on other sites

Still, this doesn't explain why it used to work with 644 in the past, and not now.

 

If the old file had a different owner it would make sense. The owner of the file now must be the same user as the user that runs the webserver.

 

If it is a multiuser system you should also change the permission of the file to 440 or even 400 so that not everyone with access to the server can read the configuration file with the DB password inside.

Share this post


Link to post
Share on other sites

The conditional test in the isConfigWritable() method that checks the config file permissions in 3.0.4 uses is_writable(), which only checks whether PHP can write to the file or not. I don't know if the method has been rewritten in some recent update, but it would probably need to be modified to use fileperms() and specifically test for 644 if that's what the intent is. When the perms are set to 444, even the admin user cannot make changes to the configurations in the admin interface without first resetting the perms.

 

It should be noted that this official thread indicates that a secure installation's config file should be 444:

http://forum.revive-adserver.com/topic/112-securing-revive/?hl=%2Bconfiguration+%2Bfile

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  



×
×
  • Create New...