Support

Akeeba Backup for Joomla!

#26333 Akeeba backup logfiles permissions to 666

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by on Friday, 18 November 2016 17:17 CST

Tuesday, 18 October 2016 04:49 CDT

Ginius
EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 2Mb, please upload it to your server and post a link to it.

Description of my issue:
Today I found out that the File permission of to Akeeba Logfile is set to 666 instead of 644.

I read a lot of posts where you are saying it is a hosting setup. With the hoster, I did some test. We made the following PHP script and run it.

<?php

$file = 'test.txt';
// Append a new person to the file
$current = "TESTFILE\n";
// Write the contents back to the file
file_put_contents($file, $current);

?>

The result of the file was:

-rw-r--r-- 1 test.xxxxx.nl psacln 168 Oct 18 10:52 test.php
-rw-r--r-- 1 test.xxxxx.nl psacln 9 Oct 18 10:58 test.txt

This seems that the server is handling it correctly. What I did:

After the backup, we upload it to a remote FTP Server. I guess this should not impact the log file permission.

Please, advice what to do or where the issue is. Of course, it is not a big issue (it is in a save directory), but it isn't nice.

Best regards,

Arjen Schrijvers

Tuesday, 18 October 2016 05:37 CDT

tampe125
Hello,

I guess that when it was created it got the wrong file permissions (maybe there was a configuration error on the server). File permission is inherit by the server, that's something we are not touching.
Anyway, you can safely change it to 644, there should be no problems.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2016 05:52 CDT

Ginius
I don't think it is the server configuration. If I did the test above (script) and run it, it will make a file called text.txt with permission 644. This means the server is good.

So I really think it is something in Akeebaa backup that is messing up the persmissions.

Please, can you do a test on your site and verify it?

Best regards,

Arjen Schrijvers

Tuesday, 18 October 2016 08:09 CDT

tampe125
Please take a look at the code yourself.
file plugins/system/admintools/util/exceptionhandler.php line 299 and following:
// -- Log the exception
$fp = @fopen($fname, 'at');


As you can see we are simply opening the file and write data into it.
What I wrote:
I guess that when it was created it got the wrong file permissions
Means that at the time the file was created (several days ago), there could be a configuration error or another plugin setting the umask to a different value.

Anyway, this is not related to Admin Tools.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2016 14:06 CDT

Ginius
18th october is not several days. Thet test.txt was made directly after you told me it could be an servicer configuration issue. So that should not be the issue.

I search in the akeeba code for the PHP command chmod. I found several ones and see that they change hardcoded the permissions of files. Below you find a list of these files. I

administrator/components/com_akeeba/BackupEngine/Util/Logger.php: @chmod($this->logName, 0666);
administrator/components/com_akeeba/BackupEngine/Archiver/Jpa.php: chmod($this->_dataFileName, 0666);
administrator/components/com_akeeba/BackupEngine/Archiver/Jpa.php: chmod($this->_dataFileName, 0666);
administrator/components/com_akeeba/BackupEngine/Archiver/Zipnative.php: chmod($this->_dataFileName, 0666);
administrator/components/com_akeeba/BackupEngine/Archiver/BaseArchiver.php: chmod($this->_dataFileName, 0666);
administrator/components/com_akeeba/BackupEngine/Archiver/Jps.php: chmod($this->_dataFileName, 0666);
administrator/components/com_akeeba/BackupEngine/Archiver/Zip.php: chmod($this->_dataFileName, 0666);
administrator/components/com_akeeba/BackupEngine/Archiver/Zip.php: chmod($this->centralDirectoryFilename, 0666);
administrator/components/com_akeeba/AliceEngine/utils/logger.php: @chmod(AliceUtilLogger::$logName, 0666);
administrator/components/com_admintools/engine/Util/Logger.php: @chmod($this->logName, 0666);

I guess logger.php is writing the files with permission 666. Is there a reason why files are save with 666? Could this be the reason of 666?

Best regards,

Arjen Schrijvers

Wednesday, 19 October 2016 02:58 CDT

tampe125
I do apologize, while reading your ticket I messed up Akeeba with Admin Tools, that's the reason of my previous answer. I'm sorry for that.

Looking at the code, indeed, the permissions are set to 0666.
The 0666 permissions are used for the case of really bad hosting. However, since this is NOT a .php file there is nothing to worry about. The 0666 permission would only allow someone to *potentially* write to a plain text log file. Even if they do that, this is a _PLAIN TEXT_ file which is not executed in any way. The maximum extent of the damage they can do is the equivalent of someone painting graffiti on the pavement in front of your house, NOT breaking into the house. If we change these permissions to 0644 we will break our software for some arguably bad hosts. If we don't change these permissions no real harm is done. Therefore we chose to stick to these permissions.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 19 October 2016 03:21 CDT

Ginius
Hello Davide,

Ok, apologise excepted.

Strange standpoint from Akeeba that the agree to support 666 to support bad host.

In my opinion, a bad host should not support at all.

Better that Akeeba has a default value of 644 and in case there is a ' bad' host, the bad host can change it in the configuration settings of Akeeba.

Why am I making a point of it? My external security check is yelling that the permission is not good. And they are right. Although I know it is not directly harmful, my customer get scary if he sees such message.

Of course I can change it in the code of Akeeba, but this means after update changes are gone. Has akeeba the plan to change the permission or is akeeba leaving it as it is now?

Wednesday, 19 October 2016 03:33 CDT

tampe125
In my opinion, a bad host should not support at all.
You would be surprised by the amount of bad hosts that there are.
Why am I making a point of it? My external security check is yelling that the permission is not good. And they are right. Although I know it is not directly harmful, my customer get scary if he sees such message.
OSCP certified talking: this is utterly non-sense. Tell him to take a look at any Linux installation, you will find several file with write permissions set to "anyone". Are they a threat? It depends by the file: if it's a php file or any other "sensible" file, it could be an issue, but not in this case, this is just a plain log file. Moreover, the file is not even flagged as executable, so even if you write some malicious content in it you won't be able to execute it.

Has akeeba the plan to change the permission or is akeeba leaving it as it is now?
We will not change it.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 19 October 2016 05:27 CDT

Ginius
Thanks letting us know Davide.

Ik will turn the login on Akeeba off. Besides it saves disc space, I'm sure I'm leaking non-information about the backup.

If I'm turning login off, is it then still making an empty log file?

Wednesday, 19 October 2016 05:42 CDT

tampe125
If I'm turning login off, is it then still making an empty log file?
Yes

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 18 November 2016 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-11-18 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!