The Joomla! Forum ™

I have installed the latest copy of joomla on a linux server, some directories and files can have the permisions changed but a lot cant changed. When logging in to my control panel and using the file manager, permissions are denied when trying to save a modified template for instance, and also denied when i try to change the permissions from 644 to 777. What is stopping me accessing any of the files when logged in as the owner.

Get a copy of this:
http://extensions.joomla.org/component/ ... Itemid,35/

Your host provider might be able to change your setup to make your account owner but if they don't have apache setup to use your user account this component is the best workaround.

_________________
Love, Live PHP.
Love, Live Joomla!
Super Sonic Man...do you want to buy a RockeTheme rocket? -Gary Jules

Chris, I am having that problem on a host for 3 of my sites. Check the ownership values for those files/directories that you cannot change. I have a stack of files and directories that cannot be touched that have somehow been given the owner values of "nobody 99". We are waiting on the host to CHMOD them back to my account but that has been several days of frustrated waiting until they get around to it. Apparently, so I have been told, there are quite a few sites on their servers that they will have to work through and do manually.

There hasn't been any sign of attack, it just happened after I let Joomla install a series of components, modules and mambots. Elsewhere there is a suggestion of using Joomla Explorer, this has no effect on those files, neither was I able to make any changes through CPanel.

I don't think this has a thing to do with Joomla and everything to do with settings on the Host but will know better once this gets cleared up.

Might I suggest you check your ownership values and if you see them as "nobody 99" get onto your Hoster to fix.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

Update: Maybe it does have something to do with Joomla after all. After searching this on Google and finding many hits I found this site's thread  http://forum.jupload.biz/thread.php?threadid=511 which talks about a problem in the uploading script when run on systems with a higher security setting. He says he found this to be the problem;This dates back to 2005, surely we don't still have bugs like that in our systems? Tell me this would have been found before and fixed? And yes Mods, I searched the Forum before posting. The best help I found was this advice at http://forum.joomla.org/index.php/topic,198647.0.html where he suggests you rename the folder - if you can - then in FTP or Extplorer create a new folder with the original name and copy all the files across to it. He says that will give you permissions on all the affected files.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

Thanks for that, sounds like it could be a long and drawn out fix whichever route is taken, it seems odd that that the documentation says you can modify files etc and yet they dont think its safe for you to own the files. Ill try my service provider first  i think...thanks again for your help

at the moment I am going down the suggested route.

• Copying the folders/files to my HD.
• Changing the name of the original folders/files on the site. (I use a prefix of "z_" as this makes sure I don't accidently point to or use the folder at a time when I am rushed or pressured. So "com_sef" would become "z_com_sef". )
• Copying the folders/files back to the site.

Yes it is a PITA. Yes it is drawn out, but it beats waiting and annoying the Hoster to get them to chown the things.
Later on they can go through and just delete anything with a 99 ownership. Done.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

I dont want to upset you but I would push the hosting providers, I just asked mine to sort it out, it took them all of 30 secs to change the ownership back to me and everthing works hunky dory now

regards

Chris

Thanks Chris, I've been waiting almost a week now, might have to do some leaning on them

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

@Gents

This is not a Joomla! problem per' sai' but is brought about by the hosts configuration,  most likely running PHP as an Apache module. This means that PHP scripts have to run under the WebServers user account, hence when you upload something through Joomla! ( or any other Web Based Application ) the uploaded files are owned by the WebServer ( this can be any defined user, but is normally apache or nobody, the numbers you are seeing are the UserID's of this user instead of the name, that is all )

The interim/temporary fixes are as discussed;

  1. Use JoomlaExplorer, because this runs as the WebServer User account, it gives access to these mis-owned files.
  2. Have your host chmod (change-mode) directories to 777, which is pretty dangerous...
  3. Have your host chown (change-owner) the group to the WebServer User and owner to your account
      then chmod directories 775, and files to 664, which still is not a great fix...
  4. Have your host chown all files and directories to your account and chmod directories to 755, files to 644...

Or you could give your host a hard time about re-configuring their server more appropriately for WebBased Applications... 
Apache running PHP in CGI mode, PHP5, and install phpSuExec, which will then allow the WebServer to run temporarily as the users account, negating all these ownership problems.
Running scripts as the WebServer user ( apache or nobody ) has its own security implications depending on server configuration.

As for the quoted forum post elsewhere stating that this configuration is insecure,  with PHP5, register_globals off and a fair server configuration, this is more secure than running in module mode, with less problems.



As an aside, why is PHP running as a module insecure or problematic?
Well, apart from the above mentioned ownership problems for WebBased Applications, this configuration also actually provides quite a breeding ground for exploits, also making exploits difficult to detect, directly or indirectly through mod_security or host based tools.  Because scripts runs as the WebServer user, there is no easy way to determine who the real account was that the WebServer ran the script on-behalf of, so.....

  1. If the script goes zombie or hangs, there is a chance it will hang the WebServer parent process too.
  2. If the script goes rogue or run-away, the WebServer account has certain resource rights that a user doesn't
  3. If the script is rogue or an exploit, the script may now has access across multiple accounts on the server
  4. If the script is rogue and is doing something nasty, it is hard to track down where it is? as it has no user account responsibility
  5. If the script is rogue and Apache allows it, it can run servers, like IIRC servers without the knowledge of the account owner
  6. If the script is rogue and PHP allows it, it can send heaps of SPAM mail through the PHP mail function
  7. If the script is rogue and PHP allows it, it can effect attacks from inside or co-ordinate external DDoS or alike
  8. and the list goes on.....

This is not to say that PHP in CGI mode does not have its short-fallings also, but on the whole, they are less scary than in Apache Module mode....


Continuing with permissions, the default permissions are assigned in the absence of a directive, the defaults are;

  Directories  = 755
  Files          = 644

This is determined by the system or user UMASK, this number is taken away from the maximum permissions to acheive the systems default. Remember that permissions are managed in "octal" not "hex" or "decimal"

Most systems UMASK's are set to "022" ,  thus....

    Max Mode  =  777
    UMASK      =  022  -
                        -----
                        755 For a directory

Because most "normal" files are not executiable, the maximum mode is actually 666,  thus...

    Max Mode = 666
    UMASK    = 022  -
                      -----
                      644 For a File


For additional information, please refer to the following posts/FAQ's;

  What does Joomla! have to do with Unix file permissions?

  [url=http://www.joomlatutorials.com/faq/view/joomla_security_tips/permissions_under_phpsuexec/60.html]
Unix Permissions Under phpSuExec[/url]

  Joomla and Windows File Permissions - Explanation

Hope this helps clear a few things up for you....

_________________
Joomla! on the fabulous Sunshine Coast...
http://www.networksmarts.com.au/

Nice info RussW. 

_________________
Love, Live PHP.
Love, Live Joomla!
Super Sonic Man...do you want to buy a RockeTheme rocket? -Gary Jules

Next cab off the rank, if you are interested.......


OK, so now we know a little about UMASK, this may explain a little more about about how come, if the directory above is 777 and owned by another user, when I make a directory I still get 755 and 644?

Completely ignoring other aspects, such as "SetUid", SetGid" and "sticky bits", this is about "Actual Permissions" and "Effective Permissions"..... 


So, if have a typical directory...      drwx  rwx  rwx    root  root    dirone/

Lets break this out a little;

            Mode:          7          7          7
    __________________________________________________________
    d                      rwx        rxx      rwx      root      root    dirone/
    __________________________________________________________
    d = Directory  | Owner | Group | Others | Actual | Actual | Directory
    f = File          |          |          |          | Owner | Group | Name
    ________ ___|______|______|_______|______|______|___________ 
 
   
Now I log out of "root" and log in as another user..... say "user1" ....

  - I "change directory" (cd) in to "dirone/"
  - I make (mkdir) a new directory....  "russw/"  within  the existing "dirone/" directory...
    I can do this because root gave "others" Read, Write and Execute (rwx) permissions (777)

    Example :      dirone/
                        dirone/russw/

   
What permissions would be set on this new directory, "russw" ?
Oddly enough, 755 (rwx r-x r-x) ! Why is this?

              Mode:        7        5          5
    __________________________________________________________
    d                      rwx      r-x        r-x      user1    user1    russw/
    __________________________________________________________
    d = Directory  | Owner | Group | Others | Actual | Actual | Directory
    f = File          |          |          |          | Owner | Group | Name
    ___________ |______|______|_______|______|______|___________ 

    - This occurs because of the system UMASK, it is applied to my new directory as my "Effective Permissions"

    - Remember for directories:      Max-Mode - UMASK =  Default Mode

                                  thus:            777    -  022    =  755


    - Although I have "Actual Permissions" of ( 7 ) rwx ( I entered this directory as an "other" user, because if you remember
      root was the "owner" and "group" and I am now user user1 )

      So as root, I have full access to all directories below the Top-Level, but as other users ( user1, in this example ) I acquire only
      "Effective Permissions" on my own directories and files of 755 ( rwx r-x r-x ) and 644 ( rw- r-- r-- ), respectively.

This action means that the Systems Administrator can configure a Top-Level" direcotry for a specific server or enterprise wide purpose, but users data is still protected underneath that directory. This might be in the case of something like user homes, or in our case different Web Hosting Accounts in the "home/" directory.
   
So, this is what the UMASK is used for, how Unix default permissions ( Modes ) are determined dynamically by the system....

_________________
Joomla! on the fabulous Sunshine Coast...
http://www.networksmarts.com.au/

Thanks Russ, that clears up a lot of problems.
One minor point, with the 99's in my site neither JoomlaExplorer, nor the later version called Extplorer, will  give me access to change the permissions, neither will FTP access, nor will it permit the Master Site owner to do anything.
The best that I have been able to do has been to copy the folders/files to my HD, Change the folder names to make it clear they no longer operate. Then upload the folders/files. That is the ONLY way I can get permissions and control over them.
I am still - yes still - waiting for advice that the Host will correct the permissions. Another letter on its way but now it will have a link to the information that you have posted.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

This is most likely because your host is not translating the UiD to the Account (you're not seeing the name) thus it is a "one-time" shot that the files are uploaded, afterwards, only the "UiD" has access to them, this is not such a good configuration, unless it is intentionally configured this way by the host using SetUID and SetGiD for some other reason, either through Apache or most likely PHP.

_________________
Joomla! on the fabulous Sunshine Coast...
http://www.networksmarts.com.au/

ilox,
I think you have been procrastinating on changing providers.
Time to look for a provider who is responsive to your needs. 

_________________
Love, Live PHP.
Love, Live Joomla!
Super Sonic Man...do you want to buy a RockeTheme rocket? -Gary Jules

@Russ,
thanks again for the info, have passed it all to the Host through the agent. See what comes out of this latest push.

@exrace 
I don't want to leave the Host as the agent has been so good to me with help and advice plus extra sites for the family. The agent has become a good friend as we have been working together to resolve issues so I think you can see how hard it would be to leave right now. The agent is pushing the Helpless Desk to get these matters cleared up, hopefully that wont take too much longer.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

Funny how much that is used! ;0

_________________
Love, Live PHP.
Love, Live Joomla!
Super Sonic Man...do you want to buy a RockeTheme rocket? -Gary Jules

Well I guess it is because so many of the Helpless Desks really do their best to earn that title.

I got upset with one silly mob the other day that were outstanding in their stupidity and misunderstanding of their own systems and in a conversation with a friend I referred to the Desk Staff as being a 1st Class IT crew. 1st Class as meaning that they had attended only their 1st Class in Computer Studies and were way out of their depth in the real world.

And to any really good Desk Denizens out there, my apologies, I admit I am making generic statements and I am well aware that there are some excellent Help Desk Staff out there, the problem is that as soon as they show skills at actually resolving problems they usually get promoted

Now, back to the thread, still no answer from them but I am hopeful that this will get fixed.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

I am retired now but during my working days I have learned to NOT ever do business with family or friends.
By all means keep them as friends but only as friends.

A good place for a host that responds within the blink of an eye (figuratively) is the one that this site is hosted at. Rochen.

_________________
There is no failure until you give up.
Chris
http://www.sengers-au.com

I had the same problem with trying to change a image file in my templates directory. I couldn't change the file permissions either i would get a access denied error. so i would change the file permissions in Global Configuration under the server tab. Then change File Permissions and Directory Permissions to 777 under (CHMOD new files) on both also check (apply to existing files) on both as well. Thats it when I do that I can change, edit, overwrite, delete, and upload anything to any directory. Just don't forget to change the it to (Dont CHMOD new files) when your done. I hope this helps somebody

I have been beating myself up all day over this issue.

I was just starting to setup a new site on a new dedicated server and was running into this permission issue.  I have never had problems in the past with my other server and could just not figure out why my new Joomla install insisted I had Globals turned on when I had the setting off, and why any components got installed with 99/nobody user rights.  I am no noob, I have 30 or so Joom sites under my belt.

I was running on the default php4 and never bothered to turn on 5 since I had no need or any components screaming at me for 5.

I read over RussW's post 3 or for times and this stuck in my eye everytime I read it.



I knew my host did in fact use phpSuExec, so why the heck did nothing work right even though it looked ot be configured right?

I needed to have PHP5 enabled.

PHP4 was causing my issues.

My host allows PHP4 or 5 by adding



to the .htaccess file.

/slaps head