Security and permissions

Hoping someone can help with suggestions for my problems.
Here is the sequence of events as much as I can recall:-
I developed an Open Cart site on my local Mamp Pro using Shoppica theme. No problems with anything there. Using 1.5.2.1 because at the time I started development the next version/s hadn't been released.
I installed a fresh version of OC (1.5.2.1) on my clients Linux server and followed the developer notes for transferring OC to a new server, and then ftp'd the theme etc files.
This produced php errors suggesting ownership and permission issues. I spent a few days (because of slow response times with the server hosts) trying to resolve this because everything pointed to the problem being server related. I read many, many posts on this forum as well. The only thing (according to the server hosts) which could resolve the issue is to set all files to 777 as described in this documentation: http://www.opencart.com/index.php?route ... ion&path=4
My understanding has always been, and this is supported by all the posts and information relating to security on this forum, that 777 permissions are a major security risk, so I cannot believe that this is the answer.
I have removed the site off the server, so have no link to offer. Currently I am battling to resolve a problem with Mamp Pro which I have just updated (another issue with which I've been blessed - thank you Murphys Law), but will need to get this website up and happening as soon as I can.
Should I advise my clients to use a different server - perhaps C-Panel, which I'm more used to? Or is there something with Linux and OC that I need to know that isn't obvious to me?
Would love to know someones workflow for transferring OC from local to remote server without days and days of problems which I just can't afford.
Thanks in advance.

I notice there are 1300 users online. Are there any moderators? Can anyone suggest what might be causing OC to not work at all on a linux server unless permissions are set to 777 - AS ADVISED IN OPENCART INSTALLATION DOCUMENTATION - see the link in my first post.

I'll repeat - these permissions are a security risk. Why won't OC work without them? Does anyone have an answer to this?

What permissions are your files and folders set to now? 755 and 644?

Mine work fine on a linux server with 755 folder and 644 file permissions. And the only two files you really have to worry about are the config.php and admin/config.php, and after you install opencart those can be set to 444 if you really want to be secure (per Qphoria's recommendation here, http://forum.opencart.com/viewtopic.php?t=19292)

And yes, you should advise your clients to use a linux server with cPanel.

Hi bigchill - thanks for your input. As mentioned in my post I removed the site off the server. It would not work at all unless the settings were 777 as described in the link to the OC document.

That is what I am querying. The server hosts pointed me to that document which clearly states that those files have to be 777 INCLUDING both config files. I do not believe this can be accurate and I want to know why that document exists at all if it means an insecure website. I would also like to know why OC wouldn't work at all on a linux server unless those files were set to 777. As I said in my post, my understanding has always been that 777 permissions are a major security risk.

Can someone please explain that document to me! And if someone also knows why I can get OC to work without those permissions I would also be very grateful. Alternatively, I will advise my clients to use another shopping cart, which would be sad since I like the look and functioning of OC.

mintjelly wrote:The server hosts pointed me to that document which clearly states that those files have to be 777 INCLUDING both config files. I do not believe this can be accurate and I want to know why that document exists at all if it means an insecure website. I would also like to know why OC wouldn't work at all on a linux server unless those files were set to 777. As I said in my post, my understanding has always been that 777 permissions are a major security risk.

That document says the following:

For Linux/Unix make sure the following folders and files are writable.

chmod 0755 or 0777 image/
chmod 0755 or 0777 image/cache/
chmod 0755 or 0777 cache/
chmod 0755 or 0777 download/
chmod 0755 or 0777 config.php
chmod 0755 or 0777 admin/config.php

If 0755 does not work try 0777.

If 755 doesn't work, then try 777. But that is only for the INSTALL. Once OpenCart is installed, you can change the config files to either 644 or 444. The other folders can be 755. That's typical permissions for folders on cPanel.

mintjelly wrote:Can someone please explain that document to me! And if someone also knows why I can get OC to work without those permissions I would also be very grateful. Alternatively, I will advise my clients to use another shopping cart, which would be sad since I like the look and functioning of OC.

It's not an OpenCart issue, it's clearly a server issue. Tell your clients to change hosts. If you really want to test it out, I offer a 30 day free trial for my web hosting. You can set up a test account there and use that to verify OpenCart works.

Thanks for that. Interesting that the server host, which is a fairly large and well respected entity here, pointed me to that document and understood it to mean that those need to be the settings all the time. I disagreed with them and they pointed out that the document is written by OC and therefore that must be the case. Perhaps OC need to adjust the document to read that it is for install purposes only.

So, do I understand correctly, those files need to be set on the server prior to going through the install process?

mintjelly wrote:Thanks for that. Interesting that the server host, which is a fairly large and well respected entity here, pointed me to that document and understood it to mean that those need to be the settings all the time. I disagreed with them and they pointed out that the document is written by OC and therefore that must be the case. Perhaps OC need to adjust the document to read that it is for install purposes only.

Just because they are fairly large and well respected doesn't mean they know the ins and outs of OpenCart.

mintjelly wrote:So, do I understand correctly, those files need to be set on the server prior to going through the install process?

If you are installing OpenCart from the live server then yes, those files should be writable before you continue with the installation. But in all honesty, on my cPanel server, I've never set the config files to 755 during install. They've always been 644 and I've never had a problem.

Thats what I think should be the case too. And in fact have never had a problem on an Apache server with C-Panel. I believe the common denominator here is the Linux server - I really just want it spelled out for them since they keep pointing me back to that doc. I think I will be referring my clients to a different server.

Do you mind my asking - if you develop on a local server (in my case Mamp pro) would you then do a clean install of OC on your remote server, then delete everything except the config files and upload your local files? Or would you compress the site, upload it and uncompress in C-Panel and import your db etc?

mintjelly wrote:Thats what I think should be the case too. And in fact have never had a problem on an Apache server with C-Panel. I believe the common denominator here is the Linux server - I really just want it spelled out for them since they keep pointing me back to that doc. I think I will be referring my clients to a different server.

Well, I'm open for referrals.

mintjelly wrote:Do you mind my asking - if you develop on a local server (in my case Mamp pro) would you then do a clean install of OC on your remote server, then delete everything except the config files and upload your local files? Or would you compress the site, upload it and uncompress in C-Panel and import your db etc?

Honestly? If it were me, I wouldn't use XAMPP, WAMP, or MAMP at all. I've always found people have had some sort of problem or other when transferring from local to remote and then come on the forums pulling their hair out trying to figure out what the issues are. I've always just used a live testing remote server and blocked the site from being indexed with a robots.txt file until it's ready to go live.

In your case however, both options would work. I'd do whichever is the easiest and/or fastest.

You're a gem. Thanks so much for your help.
I work on a local server because of page load time - its just quicker.
Where are you based? I've always tried to use servers which are actually based in Australia. They usually load faster as well. If you have details in your profile here, I may be in touch...

mintjelly wrote:You're a gem. Thanks so much for your help.

No worries. It's my pleasure.

mintjelly wrote:Where are you based? I've always tried to use servers which are actually based in Australia. They usually load faster as well. If you have details in your profile here, I may be in touch...

Servers are based in the US. Feel free to contact if you have any questions.

Found you - very nice website and hot ethics. (pun intended).

I'll point my clients in your direction.

Thanks so much for your time.