Table of Contents

  1. Introduction

  2. What is install.lock in Dolibarr?

  3. When and How is install.lock Created?

  4. Why is install.lock Critical for Security?

  5. Risks of a Missing or Deleted install.lock File

  6. How to Check for install.lock in Your Installation

  7. Creating the install.lock File Manually

  8. Automating install.lock Validation in Production

  9. Common Mistakes Administrators Make

  10. Real-World Exploits and Scenarios to Understand

  11. How Dolibarr Uses install.lock Internally

  12. Integrating install.lock Checks in CI/CD Pipelines

  13. Comparing install.lock to Security Mechanisms in Other ERPs

  14. Best Practices for Managing install.lock Across Environments

  15. Recommendations for Hosting Providers and Integrators

  16. Final Words

1. Introduction

In the world of open-source ERP and CRM systems, Dolibarr stands out for its simplicity, modularity, and ease of deployment. However, like any web-based application, it is not immune to misconfigurations or oversights that can lead to serious vulnerabilities. One such often-overlooked aspect is the presence—or absence—of the install.lock file. This small file plays a crucial role in securing your Dolibarr instance. In this detailed article, we explore what install.lock is, why it matters, and how to manage it responsibly.

2. What is install.lock in Dolibarr?

The install.lock file is a simple flag file that indicates the Dolibarr setup wizard has been completed. When present, it blocks access to the /install/ directory to prevent unauthorized users from re-running the installation scripts, which could otherwise compromise the application.

Location:

/dolibarr_root/install.lock

It is typically an empty file or contains a small confirmation string, but its presence alone is what matters.

3. When and How is install.lock Created?

During the initial Dolibarr installation process:

  1. You fill out database settings, admin credentials, and other configuration details.

  2. Once the setup wizard completes successfully, Dolibarr attempts to create the install.lock file.

Depending on server permissions:

  • The file is automatically written if Dolibarr has write access to its root directory.

  • If not, the system may prompt the admin to create it manually.

4. Why is install.lock Critical for Security?

Without this file:

  • The /install/ directory remains accessible.

  • Malicious users could re-launch the installer.

  • They might overwrite the configuration or reset the admin password.

  • This exposes your data, credentials, and business processes to hijack.

It acts as a safety gate, ensuring that only the initial setup can run once.

5. Risks of a Missing or Deleted install.lock File

1. Unauthorized Reinstallation

If an attacker accesses /install/ and reruns the setup, they can point the system to their own database or overwrite yours.

2. Admin Credential Reset

An exposed installation wizard may allow redefinition of the admin login, effectively giving full access to intruders.

3. Configuration Leakage

Even if no changes are made, the setup process can expose sensitive system details (like server name, DB type).

4. Reputation and Compliance Damage

Such a breach can lead to data loss, privacy violations, and legal consequences depending on your region’s data protection laws.

6. How to Check for install.lock in Your Installation

  1. Use SSH or your hosting file manager to access the Dolibarr root directory.

  2. Look for a file named install.lock

  3. If missing, your system is at risk.

  4. Test by visiting https://yourdomain.com/dolibarr/install/

    • If the wizard appears, the lock is not active.

7. Creating the install.lock File Manually

If Dolibarr cannot write the file during setup:

  1. Create a new file named install.lock

  2. Place it in the Dolibarr root directory.

  3. Use the command:

touch /var/www/html/dolibarr/install.lock

  1. Or with content:

echo "installed" > /var/www/html/dolibarr/install.lock

  1. Set proper permissions (e.g., 644)

This simple step locks down your system instantly.

8. Automating install.lock Validation in Production

For teams with DevOps workflows:

  • Add a script to CI/CD pipelines that checks for install.lock

  • Include it in server hardening checklists

  • Use cron jobs to monitor file presence and permissions

Example shell script:

if [ ! -f /var/www/html/dolibarr/install.lock ]; then
  echo "[SECURITY ALERT] install.lock is missing!" | mail -s "Dolibarr Warning" admin@yourdomain.com
fi

9. Common Mistakes Administrators Make

  • Assuming Dolibarr created the file automatically

  • Deleting install.lock during upgrades or migrations

  • Moving Dolibarr to a new server and forgetting to recreate it

  • Setting the wrong permissions (e.g., world-writable)

Always verify install.lock is present after any major system change.

10. Real-World Exploits and Scenarios to Understand

In some forums and bug reports, admins have shared:

  • Unauthorized changes to configuration.php after reinstallation

  • Replacement of admin credentials without triggering alarms

  • Hijacked accounts due to exposure of the installer

These are preventable by enforcing the presence of install.lock.

11. How Dolibarr Uses install.lock Internally

Dolibarr uses this file as a simple conditional:

  • If install.lock is present → block access to /install/

  • If absent → enable access to the installation wizard

This logic is implemented in /install/index.php and enforced globally.

12. Integrating install.lock Checks in CI/CD Pipelines

For developers deploying Dolibarr in automated environments:

  • Add a post-deploy step to verify install.lock

  • Example (in GitLab CI):

after_script:
  - test -f /var/www/html/dolibarr/install.lock || exit 1

  • Fail builds or raise alerts if missing

This helps catch oversights before they reach production.

13. Comparing install.lock to Security Mechanisms in Other ERPs

System Security Flag File Equivalent Purpose
Dolibarr install.lock Block reinstallation
WordPress wp-config.php existence Prevent rerun of setup
Joomla configuration.php check Prevent reinitialization
Prestashop install directory removal Lock installer

Dolibarr follows a similar pattern but requires manual checks more often.

14. Best Practices for Managing install.lock Across Environments

  • Always include install.lock in production but exclude from source control

  • Never allow it to be world-writable

  • Don’t rely solely on Dolibarr; use web server rules to block /install/

  • Document its presence in security policies

  • Ensure backups don’t exclude this file

15. Recommendations for Hosting Providers and Integrators

If you’re offering Dolibarr as a service:

  • Set up automated scans for missing install.lock

  • Lock down the /install/ directory at the webserver level (Apache/Nginx)

  • Alert customers if the file is missing

  • Provide onboarding scripts that generate this file after install

16. Final Words

The install.lock file may seem insignificant, but it’s a cornerstone of Dolibarr’s security posture. Without it, your ERP system is wide open to manipulation. Administrators, integrators, and hosting providers must all treat this file as essential infrastructure.

Regular audits, thoughtful automation, and good documentation will ensure your system stays protected. Never underestimate the impact of a missing lock file.