On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Hi Guys.

    What is the recommended solution to locking down this file under IIS or a Windows/Apache host combo?

    Currently - using NTFS permissions - it is set to Everyone : Read/Read&Execute with no other permissions assigned to it. It is also set to read only and under IIS - its permissions are read only.

    However - the warning still appears every time I log into the manager that the config file is still able to be written to.
    • If you speak to your web host they need to right click the file and select properties then check the read only option.

      Some FTP server software also allows you to use chmod on the file in FTP to 777

      For me we use gene6ftp server and this does not allow chmod commands instead i created a custom command which my users can use in ftp to set a file read-only or not
        UK MODX Hosting with love.
      • Unfortunately using CHMOD to change the permissions on the file is not a viable option as this is a Windows 2003 Server running IIS - not a *nix system and apache combo.

        This is a file residing on my server at home to which I have full unrestricted access.

        The file is set to read only using NTFS permissions for the IUSR account - and is set to read only in the filesystem.
        If IIS were to attempt to write to the file it would fail - so I am reasonable sure that it is safe - but the error is a false positive

        I can account for this because the first time I setup MODx I had not enabled write access and I had to manually edit the file because IIS/MODx was unable to do so.

        As a result - this is why I asked how to remove that message.
        • Not sure if you found out how to remove the check - the check can be bypassed by commenting out the following lines in config_check.inc.php in the manager/includes directory:

          if (is_writable("includes/config.inc.php")){
              // Warn if world writable
              if(@fileperms('includes/config.inc.php') & 0x0002) {
                $warningspresent = 1;
                $warnings[] = array($_lang['configcheck_configinc']);      

          (Note to all - The above change is only recommended for people who are running on Windows servers where PHP can’t properly check file permissions - and, as pointed out by Caledai, make sure that the file permissions are manually verified)

          Hope that helps,
            Garry Nutting
            Senior Developer
            MODX, LLC

            Email: support@modx.com
            Twitter: @garryn
            Web: modx.com