Hello fellow Xoopsers !
Hi have a pretty complex situation here and I would like your advises. As it is complex, I'll have to clearly described the context.
I developped a web site for a company and I'm now ready to put it online. Everything works find : uploaded the files, created the database, populated it, chmod the necessary filders and chmod mainfile.php in 444. Perfect
When accessing the admin section for the first time, I get the message that mainfile.php is writable. I double check the attributes of mainfile.php :
Here is a screen shot of the mainfile.php attributes in the File Manager of the host :
As you can see, it was supposed to be in 444. Nevertheless, I seaked more proofs. Here is the attributes of the file, read via an FTP client :
Still in 444. Yet again, here is with anoter FTP client :
So, as you can see, everywhere I look, mainfile.php seems to be in 444, as it should. However, in admin.php, it won't let me continue because mainfile.php is writable.
Just to be sure, I uploaded everything on another host and everything worked find, so it seems not to be XOOPS.
I did further testing. I uploaded the install folder from the XOOPS official package, as well as mainfile.php of that same package. Again, I chmoded mainfile.php in 444, and got all the previous images for confirmation.
I launch the installation and, with no surprises what so ever, XOOPS successfully wrote the configuration informations in mainfile.php, while it should have been in Read Only.
I emailed the host company to notify them of what I see as a secrurity problem. First question to you after all this bla bla :
Can it be a security problem from the host ?The answered me something that I thinks does not solve the problem :
Quote:
The permissions on a linux system are different from the permissions on a windows system. For example if the folder the file resides in is read write and execute enabled and the file is read only you are still able to delete and modify the file under the linux file system this is due to the fact that unix system is based on files and the files under a folder are considered to be the content of that particular folder, hence you can delete and modify the name of the files under the directory because you as owner have rights to modify the public directory (file's contents.) If you require further assistance please contact us.
In other words, you should put the entire folder of mainfile.php in Read Only in order for the files inside it to be Read Only.
What do you think of this answer? Is it true? All Linux dudes out there, do what they say is legitimate? Am I missing something here?
Thanks for help on that !
