Hello all,
1./ Today I try for upgrade from 5.1.46 to 5.1.53 but failed many times. The error is “Cannot update system because files are not writeable!”. How can I fix it?
2./ I use Health Check of InvoiceNinja and see problem with Open Basedir. I don’t know how to Enable Open Basedir for fixing it. I am using my own VPS (Ubuntu 20.4 + CyberPanel).
From a security perspective it would be good to not allow the webserver to modify any files that don’t need modifying. In other words, before an update you could ask the user to temporarily update the permissions so the updater can do it’s job. Once the update is done, file permissions should be set to read only for the webserver; only leaving things like storage read-write.
While I could trial and error I’d appreciate it very much if the developers could let us know which files need read-write access under normal circumstances so that all others could be set read-only: there are many directories & files and I don’t know which ones need read-write access while the system is not being updated.
The problem is most likely due to the .git folder which is still present. either chown this to the webuser or remove it completely.
In regards to which files need to be owned by the webuser, everything under the public folder. Best security principles would set the docroot to /public which means everything under this level would be safe to be owned by the webuser.