You are viewing the PKP Support Forum | PKP Home Wiki

Installing question

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.

Installing question

Postby yen » Mon Apr 03, 2006 12:03 am

I'm currently trying to install OJ on my unix servers and am stuck where it says you need to make the folders (public, cache and its subfolders, and config.inc.php) writable.

I dont know if i've read the instructions right but these folders are in my web directory. Is this a security issue? I also note that there are php files in these folders too, so not only are they writable, but they are executable too.

I assume the files are writable to "everyone" (as the index page complains its not writable otherwise). Could this allow anyone to write malicious code and execute it on the server?

.. any help/explainations would be greatly appreciated!
Thanks in advance!
Posts: 2
Joined: Fri Mar 31, 2006 2:10 am

Postby asmecher » Mon Apr 03, 2006 12:40 pm

Hi Yen,

The cache folder is used to store PHP-based caches in a format that is publicly executable but will not do any harm or reveal any information if executed. Have a look at any cache file as an example, or look at the code in classes/cache/FileCache.inc.php for the code responsible for managing these files.

Files in the public file directory are uploaded by the Journal Manager via the import process, the Section Editor, Layout Editor, or Editor via the Layout section in a submission's Editing page, or the Section Editor or Editor via the expedited submission process. Generally these will be PDF or HTML files, but these user roles (Journal Manager, Section Editor, Editor, and Layout Editor) are trusted with the ability to upload any file type -- including, potentially, executable PHP files. However, nobody outside of these roles has this ability.

If you do not wish to make config.inc.php writable, you'll be presented with instructions for writing its contents manually; alternately, you can make config.inc.php writable, complete the installation process, and change it back to read-only.

Note that when the instructions say "writable" and "readable", this means by the web server user -- typically "www-data", "nobody", or "apache", depending on your server's configuration. These do not need to be world-writable -- in fact, this is generally a bad idea. I'd suggest creating a group including the www-data (or equivalent) user and making the files group-writable but not world-writable.

Alec Smecher
Open Journal Systems Team
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm

Postby asmecher » Tue Apr 04, 2006 4:49 pm

A correction: The public files directory is *not* used to store article galleys (e.g. PDF and HTML). It is used to store journal stylesheets, issue cover page images and stylesheets, etc -- these files are only uploaded by users in "trusted" roles such as Editors and Journal Managers.
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm

Return to OJS Technical Support

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Google [Bot], Yahoo [Bot] and 1 guest