Prestashop: Insecure file permissions

Hi @julianmatz,

I'm fairly sure this is not the proper way to set permissions.

read for more information https://symfony.com/doc/current/setup.html#checking-symfony-application-configuration-and-setup

You have all the information you need to configure your application the" right" way, but a lot of people are just unable to configure their server the way they expect, this is why we have a permissive system (not insecure, permissive) by default.

Not a bug then, but a feature.

Thanks for your report.

Hi Mickaël,

I understand that. But wouldn't most systems/hosts have a method of circumventing this problem and not requiring world-writable file permissions? And if it were an issue, perhaps it could be a setting that could be enabled during setup/installation. You wouldn't agree that being this permissive could be a security risk, especially if the user may not even be aware that others have write access on their filessystem?

From your own documentation:

Some hosts might require you to use CHMOD 777, although it is not recommended for anything more than a one-time need.
If you have to use CHMOD 777 in order to install PrestaShop, make sure to switch to a safer setting (for instance, 775 for folders and 664 for files) once you are done installing.
Read your host's documentation carefully.

http://doc.prestashop.com/display/PS17/Installing+PrestaShop

I fully agree with julianmatz, this is really a BAD and UNSAFE feature !!!!
I have installed a lot of software, but never seen a software-package which is messing arround with file&folder permissions... If you want to offer 777 and 666: make it optional: but best way is
not to change umask at all: the server/hostpackage installation setup has set the right setting already!
But the default must be: 644 for files and 775 for folders.
PLEASE CHANGE IT ASAP, we don't want hacked webshops !!!!!!!!!!

With kind regards,

;-) Arthur

Could you please re-open this? If you want to stick with this as a feature, okay, but you are changing people's file permissions without their knowledge - people upgrade their Prestashop installation and suddenly, they have world-write permissions across their public HTML file tree. There is no apparent/easy way to disable the feature, there is no warning, and there doesn't seem to be anything documented about it.

Maybe someone who come across this issue, will look for a way to change permissions. Therefor I will share a simple module to do that: https://github.com/MathiasReker/filepermissions :-)

Mathias this is so cool by your side dude. Works like a charm for the existing files. BUT. The f*ing PrestaShop gurus due to their umask mentality make any new module directory 0777.

They probably have hidden somewhere the umask(0022) to degrade fodlers to 0755 and files to 0644.

I have seen that they remove it in 1.7.6 version.

@tapandagr You are welcome. I actually made a more advanced (free) module that has this feature built in. Please check use this module instead: https://www.prestashop.com/forums/topic/984993-free-module-advanced-security-module/ :-)

Mathias this is so cool by your side dude. Works like a charm for the existing files. BUT. The f*ing PrestaShop gurus due to their umask mentality make any new module directory 0777.

They probably have hidden somewhere the umask(0022) to degrade fodlers to 0755 and files to 0644.

I have seen that they remove it in 1.7.6 version.

Hi, you're probably talking about https://github.com/PrestaShop/PrestaShop/pull/12124 and indeed we have chosen to stop following the previous folder rights strategy for better security.

If you read previous answers, you'll see that there was a reason behind the previous folder rights strategyt: https://github.com/PrestaShop/PrestaShop/issues/11634#issuecomment-444875841

We try to find a compromise between the different types of prestashop users, and it's not always easy. No need to use the f word.

Ok excuse me for my rude language, but this is not like if you like the menu horizontally or vertically.

I have made a module for a customer of mine and uploaded it via the modules way (and not the ftp one) following all the best practices you suggest via the validator. The result was that the website stopped working due to some security infrastructure that detected the 0777 permission.

As a consequence, I had a severe fight with my client, because he thought the mistake was mine.

That's why I am highly tempered at the moment! Because I have to apologize and lose money for something that is not my own mistake....

Well, it's the hard thing about relying on dependencies ^^ we have the same stories here

For example last week we had to make this PR because of this code in Doctrine that we use in the project.

Hope it's better with your boss now though 😉

@matks I have no boss. I am the boss of a solo business. The hard thing is that to fix things I am alone. I am not a business with a team of developers that can co-operate to patch any vulnerability.

The time schedule is tight as hell if you take into consideration clients, reaching new clients and probably solving PrestaShop flaws.

At least you could make a dropdown or text input where the user could put the settings he likes.
Not forcing some setting (no matter what it is) without consent.

In any case, when do you expect 1.7.6.x to be delivered?