Magento Forum

   
Page 1 of 2
My Host dosen’t like Magento
 
CKD
Member
 
Avatar
Total Posts:  31
Joined:  2007-11-21
Saitama, Japan
 

Hi I work pretty close with my host when there is a problem.  He runs his server tuned for zen-cart.  His specs fit all the the requirements of Magento but I just tried to work through and install on his server with him and this is the reply after trying to get it to run:

“Your gonna have to get with them,
this code is a mess and is designed to run as php as cli ( THIS IS A SECURITY NITEMARE )
and we will not allow you to use an overwrite and install separate binaries for php,
for security reasons,

I have reset most of the folder permissions,
there are a TON of files that are still not set correct,
and there are still htaccess files with php over ride code

your gonna need to holler at them with this one”

Anyone have any idea as to what to do about this or comments about this?

Regards,
Shaun

 
Magento Community Magento Community
Magento Community
Magento Community
 
CKD
Member
 
Avatar
Total Posts:  31
Joined:  2007-11-21
Saitama, Japan
 

Well actually my host has been great and has a really good rep in the zen-cart community.  zen-carts run really well on his servers.  He says there is a security issue, instead of telling me to find a real host.  Can you post reasons why this might be wrong.  Or maybe the fact of running zen-carts in this way can cause a security issue.

I’m not here to put anyone down.  I think that happens way to much on forums.  I try to treat people on forums the way I treat people face to face, with respect no matter who they are or what their opinion is.

So if anyone can tell me reasons why he is right or wrong, that would be great.  Maybe it really is an issue that needs to be addressed.  I’m not going to be the one to say I am a pro at hosting configurations. 

Regards,
Shaun

 
Magento Community Magento Community
Magento Community
Magento Community
 
RoyRubin
Magento Team
 
Avatar
Total Posts:  968
Joined:  2007-08-07
Los Angeles, CA
 

@CKD - Welcome to the community.

I’ve commented below. Please don’t hesitate to post any further questions - hopefully we can help you resolve this with him.

this code is a mess and is designed to run as php as cli ( THIS IS A SECURITY NITEMARE )
and we will not allow you to use an overwrite and install separate binaries for php,
for security reasons,

This is not true. If your host supports PHP5 and all the required modules are available, the installation should be very simple. There is a PHP4 workaround that is based on a PHP-CGI component. There is no security risk and this has worked for many people so far.

I have reset most of the folder permissions,
there are a TON of files that are still not set correct,
and there are still htaccess files with php over ride code

I have no idea what he means here. Any clue? It seems as if he didn’t follow the proper install process. A good starting point is this thread: http://www.magentocommerce.com/boards/viewthread/1647/

Hope this helps.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Moshe
Magento Team
 
Avatar
Total Posts:  1770
Joined:  2007-08-07
Los Angeles
 

@CKD: We’re always glad to receive security issues reports, as they help us to correct them.

Although it is unclear in this post, which security vulnerability exactly we are talking about here.
Could you or your host elaborate a bit about it?

Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Camelothosting
Jr. Member
 
Total Posts:  10
Joined:  2007-11-25
 

First my apologies IF I was mis understood,

Ok,
let me start with the default htaccess files,
the php over ride directives in the htaccess file will cause system adminerrors,

the directions state to make files and folders globally writable ( Chmod 777 )
one of the reasons to run php as cgi is to NOT require world writable permissions,

These are the first things I ran into when I looked into Shauns file structure,

IF there are any directions for installing this on php5 running as cgi please point Shaun at them,

The really kool comment on my site was to funny though,
No I dont have anythning against any cart ( Except for OSC )

 
Magento Community Magento Community
Magento Community
Magento Community
 
CKD
Member
 
Avatar
Total Posts:  31
Joined:  2007-11-21
Saitama, Japan
 

Maybe I should have starting by telling everyone that my hosts settings don’t like Magento, at least so far, not my host as a person… wink

The php5 as cgi thing is going to be the problem.  I would like to see how a Magento cart runs on his server.  I have seen zen-carts run slow on some servers but fast on his.  I have also been seing the same of Magento and wonder if they will run faster on his server or not.  Not that I expect Magento to run error free right now.

So Tony, sorry if I gave the wrong impression of you right off the bat here.  Your service has been great and as long as I use zen-cart then I will have them on your server.  I will say that I have read post where Tony has posted about Magento and he has said nothing bad about it as far as I can tell.  The only things I have seen is where he has warned people that they shouldn’t use it live, as it is in beta stages, which the Magento team does also.

@Moshe/RoyRubin- let me know what you need from me, I will try my best to get you as much info as I can to resolve this issue.

Regards,
Shaun

 
Magento Community Magento Community
Magento Community
Magento Community
 
RoyRubin
Magento Team
 
Avatar
Total Posts:  968
Joined:  2007-08-07
Los Angeles, CA
 

@Shaun - Can you please have him try this and report back any errors?

http://www.magentocommerce.com/knowledge-base/entry/installing-magento-on-a-php4-server

 
Magento Community Magento Community
Magento Community
Magento Community
 
Camelothosting
Jr. Member
 
Total Posts:  10
Joined:  2007-11-25
 

We are running php 5.2.4 as cgi,
we are not running php 4 and 5 side by side,

Unless I need to read farther than making this work on php4

This is a problem,

php_flag magic_quotes_gpc off
php_flag short_open_tag on

the issue here is that php as cgi ( phpsuexec or suphp ) do not allow php directives in the htaccess file,
( yes I know make a local php,ini file, )

the other issue is you do not have to force load the binaries

the major things here are that your system is set to run on folder permissions 775 ( try making the folders 755 )
and file settings 664 ( try using 644 since these are still writable by the system but not by user nobody or world )

and set your requirements you dont need all the php registeries in the htaccess or a php.ini,

 
Magento Community Magento Community
Magento Community
Magento Community
 
Moshe
Magento Team
 
Avatar
Total Posts:  1770
Joined:  2007-08-07
Los Angeles
 

@Camelothosting: So I guess .htaccess / php.ini is more of installation tutorial issue, right?

Regarding 664/775 vs. 644/755 issue - i’ve ran “chmod g-w . -R” on my working copy and it is still working.
Are you sure this is not specific to your user setup?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Camelothosting
Jr. Member
 
Total Posts:  10
Joined:  2007-11-25
 

well,
the htaccess issue yes,

and we have our security run tight, ONLY the program may write to a file, this is just for better security,
I would love to see all files that didnt have to be written to as 444 but thats just me

Please PM me and I will shoot you access to a live server running our security and you can go from there,
I of course a not going to publically discuss our security other than to say we are running as cgi,

Also are you running 2 version of php sidfe by side on your test enviornment?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Zander
Jr. Member
 
Total Posts:  15
Joined:  2007-10-30
 

@Camelothosting: Your posts suggest that you’re just going off the installtion instructions rather than actually trying to install Magento in-line with your hosting setup. Is this correct or have you actually attempted a secure install and failed?

I run a Magento setup using the Nginx web server, PHP5 over FastCGI with XCache, and file permissions currently set to 664 although I could actually go more restrictive for files that PHP doesn’t need to write to.

My setup is about as far away from the Magento installation instructions as it could be and yet my Magento setup is fast, secure and has so far proven reliable.

I look on the installation instructions as a guide only - there’s nothing in them that suggests you can’t deviate from the instructions to suite your hosting setup and still have a working Magento install.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Camelothosting
Jr. Member
 
Total Posts:  10
Joined:  2007-11-25
 

Sorry didnt know there were any other posts here,

one of our customers has tried to do an install,
we went through everything and it didnt work,

we also gave Magento an account on one of our servers and last I checked they were unable to get it to work either,

so I dont feel so bad,

I will give it another try sometime soon and let people know

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

Let me just put in my two cents here,

if security is your main concern, i would already assume that you have php as cgi with suExec.

then just set your whole magento folder to 755 , and running magento shouldn’t be a problem. right?

magento doesn’t necessarily requires you to run under 777 it just needs apache writeable access, so if you running under cgi/suExec all you need is like 755.

777 is just mainly for hosts on mod_php that requires apache write access. although not good from security perspective, if you have proper server setup, this shouldn’t cause much of a concern.

i’m pretty sure you already know about this but if not, then, just PM me, lets get this sorted out.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Camelothosting
Jr. Member
 
Total Posts:  10
Joined:  2007-11-25
 

We have already tried this,

and it has not worked,

the setup is
php5.2.4
mysql 5.0.2
suphp

and there are no settings that we were able to make work,
and from the looks of it the Magento Developers were not able to get it to work either

We will give it another go in a few days

 
Magento Community Magento Community
Magento Community
Magento Community
 
Camelothosting
Jr. Member
 
Total Posts:  10
Joined:  2007-11-25
 

Here is a brand new upload
http://209.85.34.82/

AL folder permissions have been set to 755
the base htaccess folder has been commented out ( this is due to the php over rides located in it )

and as you can see It is still a 500 error,

Shoot me a PM for access to the magento demo account

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

okay, that could be for a number of reasons.

are your files chowned to user:user?  and not root:root by any chance?

suphp requires files all files to be chowned as user or you get the internal server error.

if you can give me an account on your server I can go and have a look.

just pm me the details.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top
Page 1 of 2