On Mon, Aug 16, 2010 at 11:27:23AM +1200, Brenda Wallace wrote: > the installer currently suggests the following: > Cannot write config file to: /home/brenda/workspace/statusnet > On your server, try this command: chmod a+w /home/brenda/workspace/statusnet > > I'd like to change this to > On your server, try this command: touch > /home/brenda/workspace/statusnet/config.php; chmod a+w > /home/brenda/workspace/statusnet/config.php > (as well as a few other change to support this, they're all in the installer.) > > This limits the amount of damage a future code bug can do.
It's a rather poor suggestion to tell the user to 'chmod a+w' anything on the system. Only the webserver needs write access, along with the owner of the file. No one else should need write access, especially the config.php. In fact, the read bit should be removed on that file, if any. A better suggestion would be to tell the user that the web server needs write access, and this would be best accomplished with: chgrp apache /home/brenda/workspace/statusnet chmod g+w /home/brenda/workspace/statusnet Of course, the web group 'apache' will be different on each unix, so the user will need to know that info, or the installer figure it out, and present it to the user. At any event, 'try this command: chmod a+w' isn't a good suggestion in terms of security. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O
signature.asc
Description: Digital signature
_______________________________________________ StatusNet-dev mailing list [email protected] http://lists.status.net/mailman/listinfo/statusnet-dev
