I will give some background first. I have several websites that I am running on Ubuntu 20.04 Server. I also have another computer running Kali Linux. When I used OWASP ZAP from the Kali Linux computer to check all of my websites, it gave me some flags for the sites:
Cookie No HttpOnly Flag
Cookie Without Samesite Attribute
X-Content-Type-Options Header Missing
So, I wanted to edit my php.ini file and change the following (will deal with headers later):
session.cookie_httponly = 1
session.cookie_samesite = Lax
When I try to edit my php.ini file, I get the message that the php.ini file is read only; even when trying to edit as root.
Here is what I have done and found.
I am running:
Ubuntu 20.04 Server
Apache 2.4
php 7.4
Everything is updated/upgraded.
I tried:
sudo vi /etc/php/7.4/apache2/php.ini and got a warning saying that php.ini was read only.
Also tried sudo nano /etc/php/7.4/apache2/php.ini and got same warning
ls -l php.ini produces -rw-r–r– 1 root root 73053
I then switched to root using su root and ran vi /etc/php/7.4/apache2/php.ini still gives warning of read only.
Running as root, I then tried chmod 655 /etc/php/7.4/apache2/php.ini and it gave me the: chmod: changing permissions of ‘/etc/php/7.4/apache2/php.ini’: Operation not permitted
I tried cd /etc/php/7.4/apache2 and then ls command. This produced:
conf.d php.ini php.ini~ php.iny~ php.inz~
I tried editing php.ini~ file and was able to edit it.
Used systemctl restart apache2 which successfully restarted apache
Ran OWASP ZAP again; still same flags.
I then ran the following command:
php -i | grep ‘Configuration File’ this produced:
Configuration File (php.ini) Path => /etc/php/7.4/cli
Loaded Configuration File => /etc/php/7.4/cli/php.ini
I then edited this file: vi /etc/php/7.4/cli/php.ini
I was able to edit this file and then restart apache.
After running OWASP ZAP again, I still get the warnings.
I was wondering if someone had an idea of what I am missing. Maybe all my /etc files are read only?
Thanks
Source: Ask PHP
