Message after install - Installation directory is still writable...

[rottaj]

Hi,

After I recently install SMF at the very end I got the attached. It appears the the install.php was deleted but I ma not sure how to check if the Installation directory is still writable and if it is how to make it unwritable.  Any advice will be most appreciated.

Thanks in advance,

JR

[kat]

If you go to Admin>Package Manager>File Permissions and set that to the "Standard" profile, you shouldn't go far wrong.

[rottaj]

Thanks K@,

I did as recommended and the attached is the result - I assume all is well?

JR

[kat]

Looks fine, to me.

[rottaj]

Thanks K@, much appreciated.

JR

[Illori]

Looks fine, to me.

no it does not look fine.. it still says all the files are writable.

[rottaj]

Oh, OK - what do you suggest I should do?

[kat]

Unless I'm mistaken (Which is entirely possible) CHMOD 0644 is "read/write by owner" and "read only by the group and everyone else". 0755 is "read, write, and execute by owner" and "read and execute by the group and everyone else".

[Illori]

but the op said they want the files read only [not writable] so files should be 444 and folders 555 i believe. but there are some files/folders that need to left writable, like attachments.

[kat]

0644 is writeable by him, only. Nobody else. Everything, for everyone else, is write-protected.

Those "Standard" settings are there for good reasons.

[Illori]

that all depends on the php configuration, if it is not as secure as we would want others that get their account hacked could get to his files. that is why you should not leave all files/folders writable by default.

[kat]

They're only writeable by the owner.

All of my sites have the Standard profile, for CHMOD and, thus-far, I've NEVER been hacked.

However, this is hardly the place for a debate about such matters.

[Illori]

well it is the right place as the op asked for something specific and your "fix" did not do what they wanted.

good for you that you have not been hacked, many have been that left their files writable.

[NanoSector]

I have to say that K@ is right in this case. 0644 means that only the owner of the file (the host user) has read and write access to said file.

However, if the file appears writable to PHP, that means that Apache is running as the host user.
But, AFAIK, Apache should NEVER, EVER be running as even a half-baked priviliged user. That's asking for attacks.

You can lower your file permissions. But, that may also lock you out and you may need help from your host to recover access.

[Kindred]

K@,  as arantor has pointed out, the reason tgat avast was able to be hacked is because they left the directories and files writable. Locking them down to 444 is fully secure. 644 is mostly secure...

[Arantor]

I file permissions on *nix </sarcasm>

Yes, 444 is ideal for most things. Some settings require Settings.php to be writable in order to change them, certain things fall over if they can't.

Honestly though that's one of the things I would love to see changed in 2.1 or future is that we reduce the amount of settings inside Settings.php since most of them do not need to be there in the first place (and thus less requirement to ever change Settings.php, but that's a scary amount of change that too many people will think is not necessary even though there is no legitimate reason not to change it IMO)