permissions and that pesky INCLUDE_ERROR

[carl_galloway]

Hi guys,

Garvin and I have had a brief conversation about the INCLUDE_ERROR I occasionally get, and basically I need help.

The situation is that my site is on a Unix server running H-Sphere, and the user and group are configured with my ftp username.

Now when s9y created my serendipity_config_local.inc.php the server (I assume H-Sphere) automatically uses my user and group instead of nobody. I think this is a H-sphere problem, not an s9y problem, but I kinda need help because I've had to set the permissions on that file at 774 so that I don't get the INCLUDE_ERROR.

And when I want to make changes to my configuration (eg change the number of entries that appear on my startpage), for some reason s9y needs to write to serendipity_config_local.inc.php so then I have to change its permissions to 776. Then when all is done I have to change them back to 774 again.

So with all that said, I would be happy to just leave the permissions on serendipity_config_local.inc.php at 776 coz then I can just do what I want when I want, and if you try to access that file in your browser you can't anyway because Apache won't let you (not enough permissions), and my error pages will then redirect you to index.php. However, the s9y admin pages specifically say to set the permissions at 770. What should I do?

Cheers
Carl

[garvinhicking]

Usually it works like this:

The file is owned by apache, and only apache can read+write the file. No other people/groups shall be able to modify the file.

Thus, your server may run as "wwwrun" and then owns the file. The user under which your apache runs must always be the owner of the file, so that the 0700 permissions can properly apply to it.

The file should not be owned by your FTP user...

HTH,
Garvin

[carl_galloway]

So I guess I'm running the risk of someone hacking my site? I tried doing a chown -R through filezilla client but I get a message command not known. And when I use the filemanager that comes with h-sphere it doesn't have the chown command in it, only the permissions.

Does anyone know if this is common with H-sphere?

Cheers
Carl

[garvinhicking]

Yes, changing ownership via FTP can be hard. Who is the original owner of that file? It seems there might be some conflicts with the server permissions - I doubt this is related to any hack attempt.

Sadly, I don't know H-Sphere at all.

You can also get the current permissions (and set permissions) with PHP and chmod/chown/stat commands. I'm too short on time and cannot give you verbose information.

Regards,
Garvin

[judebert]

Many FTP servers have CHOWN disabled, to prevent hacking. Naturally, some web file managers are the same way.

A php script to change the owner of a file would look like:

<?php chown(filename, user); ?>

Normally, only the superuser is allowed to change the owner of a file. Additionally, if PHP is in safe mode, it'll check to ensure the file owner is the same as the script runner. All in all, it's a long shot.

[carl_galloway]

judebert,

I'll try that, but I might do some more research first about what user apache is using, Garvin has me doubting myself about nobody vs wwwrun. I don't want to break my blog.

Carl