Hi,
I'm currently trying to install OJ on my unix servers and am stuck where it says you need to make the folders (public, cache and its subfolders, and config.inc.php) writable.
I dont know if i've read the instructions right but these folders are in my web directory. Is this a security issue? I also note that there are php files in these folders too, so not only are they writable, but they are executable too.
I assume the files are writable to "everyone" (as the index page complains its not writable otherwise). Could this allow anyone to write malicious code and execute it on the server?
.. any help/explainations would be greatly appreciated!
Thanks in advance!
Installing question
Moderators: jmacgreg, michael, jheckman, barbarah, btbell, bdgregg, asmecher
Forum rules
What to do if you have a technical problem with OJS:
1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.
2. Check the FAQ to see if your question or error has already been resolved.
3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.
What to do if you have a technical problem with OJS:
1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.
2. Check the FAQ to see if your question or error has already been resolved.
3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.
3 posts
• Page 1 of 1
by asmecher » Mon Apr 03, 2006 12:40 pm
Hi Yen,
The cache folder is used to store PHP-based caches in a format that is publicly executable but will not do any harm or reveal any information if executed. Have a look at any cache file as an example, or look at the code in classes/cache/FileCache.inc.php for the code responsible for managing these files.
Files in the public file directory are uploaded by the Journal Manager via the import process, the Section Editor, Layout Editor, or Editor via the Layout section in a submission's Editing page, or the Section Editor or Editor via the expedited submission process. Generally these will be PDF or HTML files, but these user roles (Journal Manager, Section Editor, Editor, and Layout Editor) are trusted with the ability to upload any file type -- including, potentially, executable PHP files. However, nobody outside of these roles has this ability.
If you do not wish to make config.inc.php writable, you'll be presented with instructions for writing its contents manually; alternately, you can make config.inc.php writable, complete the installation process, and change it back to read-only.
Note that when the instructions say "writable" and "readable", this means by the web server user -- typically "www-data", "nobody", or "apache", depending on your server's configuration. These do not need to be world-writable -- in fact, this is generally a bad idea. I'd suggest creating a group including the www-data (or equivalent) user and making the files group-writable but not world-writable.
Regards,
Alec Smecher
Open Journal Systems Team
The cache folder is used to store PHP-based caches in a format that is publicly executable but will not do any harm or reveal any information if executed. Have a look at any cache file as an example, or look at the code in classes/cache/FileCache.inc.php for the code responsible for managing these files.
Files in the public file directory are uploaded by the Journal Manager via the import process, the Section Editor, Layout Editor, or Editor via the Layout section in a submission's Editing page, or the Section Editor or Editor via the expedited submission process. Generally these will be PDF or HTML files, but these user roles (Journal Manager, Section Editor, Editor, and Layout Editor) are trusted with the ability to upload any file type -- including, potentially, executable PHP files. However, nobody outside of these roles has this ability.
If you do not wish to make config.inc.php writable, you'll be presented with instructions for writing its contents manually; alternately, you can make config.inc.php writable, complete the installation process, and change it back to read-only.
Note that when the instructions say "writable" and "readable", this means by the web server user -- typically "www-data", "nobody", or "apache", depending on your server's configuration. These do not need to be world-writable -- in fact, this is generally a bad idea. I'd suggest creating a group including the www-data (or equivalent) user and making the files group-writable but not world-writable.
Regards,
Alec Smecher
Open Journal Systems Team
- asmecher
- Posts: 5920
- Joined: Wed Aug 10, 2005 12:56 pm
by asmecher » Tue Apr 04, 2006 4:49 pm
A correction: The public files directory is *not* used to store article galleys (e.g. PDF and HTML). It is used to store journal stylesheets, issue cover page images and stylesheets, etc -- these files are only uploaded by users in "trusted" roles such as Editors and Journal Managers.
- asmecher
- Posts: 5920
- Joined: Wed Aug 10, 2005 12:56 pm
3 posts
• Page 1 of 1
Return to OJS Technical Support
Who is online
Users browsing this forum: Bing [Bot] and 3 guests