1

I am writing a large PHP application (with setup) for the first time and am wondering about the security precautions I should take for permissions.

setup.php uses uses fopen/fwrite to generate a config.php based on POST data that comes from setup.php. This works, but it seems that I cannot write to config.php unless I set permissions of it to 777.

Config.php will essentially contain the database credentials in PHP variables (to be include()'ed), is this a good to leave as 777?

I am wondering if that is alright or I should instruct the user to change permissions back to something such as 655 (I am not sure).

2 Answers2

5

A lot PHP applications require you to set config.php to 777 wile the product is being installed. I think this is perfectly acceptable, but the user should be warned that the file should be set back to 644 when setup is complete.

Another solution is to make the user hard-code the config.php with database settings. This does however complicate things for some new users.

pauska
  • 19,620
  • 5
  • 57
  • 75
  • +1 That seems to be the most common way it's done. Many PHP applications also refuse to run normally until the permissions are correctly set, going to a warning screen instead. – John Gardeniers Sep 07 '10 at 07:38
2

You should have the file permissions set to those that are needed to do the job in hand. This may be 777 for installation and 644 for running the application.

Every time your application runs you should check that the permissions (on critical files and paths) are what you want and then issue an error message and stop the application running if they are not.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • I liked this answer, the thought of checking permissions on run time is something I shall most definitely add. –  Sep 07 '10 at 10:41