Magento 2.3.0: Magento Unprotected XML
The permissions for .user.ini
can be -rw-r-----
(or 640 in octal). This removes access for anyone other than owner and group members. (As Hunter said, you can check permissions by running ls -la in your Linux terminal/shell).
Our Magento 2.3 site is running with .user.ini
permissions of 640, so I can verify they do work. I ran the security scan today and our permissions on .user.ini
pass. (However, I notice that I also got a false positive for another issue so the scanner tool is not perfect.)
Regarding file and group ownership, our httpd service (Apache) runs as user and group apache
. We give user apache
read only access to .user.ini
and we have a dedicated group named webdev
(for developers) that has rw access to that file and is a member of wheel
. apache
is not a member of webdev
and does not have sudo permission.
You can change owner and group in the Linux shell like this:
chown apache:webdev .user.ini
The command to create a group is groupadd
on CentOS. See https://blacksaildivision.com/centos-create-user-group for more details.
Substitute your own user and group. It's best if the httpd service (apache) does not have write permissions on files in the DocumentRoot (pub/).
PRODSECBUG-1883: Leakage of Custom PHP settings from .user.ini File
Description:
Access to certain private files is not protected.
You can find more information about this and other bugs here.
This issue was addressed in 2.3.0. Make sure your permissions for .user.ini are set correctly. You may find this article helpful.
Permissions for .user.ini should be -rw-r--r--
. Check by running ls -la
in your linux console.