Joomla! Discussion Forums

Correct, you need 777 permissions for users to be able to upload images. 

Not really, most users are insightful enough to read an entire thread before they try things like that.  If not, maybe that will teach them to    It is bad practice to not read through more discussion when following advice in a post where there is clearly follow up.  Additionally, we are working on a comprehensive guide to permissions that will be finished eventually, hopefully making threads and inqueries like this unecessary.  And lastly, this is a rather old thread and I forgot that I had written it until the thread was dug up recently. 

Ok so I just read this post and I dont see a simple answer. From the description I will need to provide ftp access to people using the site so they can secure permissions. Most of the people I work with cant manage to deal with typing content into joomla let alone ftping. I need a safe but simple solution for users that will allow for images to be uploaded and content added.

I need users to be able to login and use wysiwyg pro (upload images allowed)
but I also need the permissions set so that evil doer cannot break the system.

I am logged into root shell access in the web root..
what commands do i enter to set the permissions properly
please be specific so that there is no confusion

/var/www/vhosts/site.com/httpdocs/chmod ....(???)
/var/www/vhosts/site.com/httpdocs/chgrp ....(???)
/var/www/vhosts/site.com/httpdocs/chown ....(???)

Hi,

  I've got two questions:

  1. It seems to me that Newsfeeds require the cache directory to be 777, is this correct?

  2. If I have root access, what is the best solution?

Thanks,
Chris

Check the owner of the cache directory. If you have shell access, change the owner of that directory (with chown) to the user that runs that Apache process. This is the same process that Joomla runs on. If this is done, 755 is more then enough.

Tonie, thanks for that.

    I do have root access.
    Suppose that apache is run as 'nobody' and my Joomla files and folders are owned by 'fred', would it be best to :

a. Change the owner of all my files & folders to nobody and set folder permissions to 755, files to 644?
    i.e filea nobody:nobody
    I'm assuming that I've already ftped the site and will no longer need ftp, if I did I could make 'fred' the group
    i.e filea nobody:fred

b. Leave the owner of all files and folders as 'fred' and just change the group to 'nobody' i.e filea fred:nobody

  Which do you think would work and be most secure?
  Any help with the actual commands to do this would be most appreciated 

Thanks,
Chris

PS    I have multiple sites and am worried that if one gets hacked and the hacker can run as nobody (as could have happened via the recent SQL injection problem) then they're all vulnerable. However I suppose in that case they would be anyway.

This is what I normally do (until somebody proves me a better way ).

* When you FTP a Joomla install to your site, all files/folders have 'fred' ownership.
* When installing, you create configuration.php as well with 'fred'.
* Don't install your templates through the administrator backend, just copy over the directory with your FTP account.
* After installing components, the files from those are with 'nobody' ownership.
* Change the cache directory to 'nobody' ownership.
* Set all permissions to 755 directories/644 files.

I normally leave it like this. I like the FTP user permissions. If somebody is able to hack your site, they will normally have 'nobody' access to your site. They are able to read your configuration.php, but can't change any of the template files or configuration.php itself.

Good post, Tonie



I would like to add: "Change ownership to 'fred' for a little bit better security.

This issue should be a sticky with seperate sections for different hosting envirnments. Since Joomla is the #1 CMS out their.

I run over 40 Joomla Sites, each one I do the following during install on a Dedicated Environment Shell Win SCP -

Transfer the Joomla core to the base hosts folder along with a perl script that chmods and chowns to the folders/files to the websites FTP ownership and Server Group, for me its:
chown -R owner ./*
chgrp -R psacln ./*  (Plesk Server)

Then in same script I also set chmod -R 777 on the needed FOLDERS only, leave files at 644 default permisions. Once your done with the Install steps, I delete the install stuff and finish of th ecomponents/modules im using. Once that is done and I know no more backend installing is needed I set the folders to 755 except the Cache and Images folder I leave at 777 for the uploading of images. Since no php files exist and the index file in their should be 644 no write access to it so its fine.

Then I set the config file to 644 and chown it to APACHE, since no sites have a shell/bin account no one has APACHE access except when logged into Shell - SSH. Also the only IP allowed to access SHELL via Firewall is the IPs listed and such. This locks down the apache side, but as I said this is a Dedicated server.

As long as the files are not 777 writeable by anyone, using the .htaccess file suggested along with locking down the administrator folder via .htaccess, most Hosting Control Panels have an option to Password a folder, USE IT. This will add 1 more step a hacker must get by.

Prior to closing down Shell I rerun a perl file that resets the same folders in 1st script and resets and installed componets/modules to th esame chown/chgrp settings. Sorta a turn on 777 then a turn of 777 to 755.

This should leave you with a secure site and only hackable by FTP - and not by any server script running an expoit, even if that expoit may exist in the sites files.

Of course the other settings suggested should be used on the BASE php file, Call your Host and request it be done, for atleast your site, if they wont, CHANGE PROVIDERS. It only takes a few hours to Propagate a DNS change..... and a DB dump will save your site... Dont let a host not securing their server to allow your site being hacked.

p.s. only 1 of my sites got hit, which was on a seperate host using joomlaboard, this site no longer runs on that server as they will not turn of php settings. 72 hrs of DNS updates and it was back.

Can you share this script? That would be very helpful to me rather than recreating one.

Best regards, TurboJones

Many thanks to those contributing to this thread. As a newbie I found it really helpful.

It looks to me like Joomla has some facilities for handling the unwriteable issue, but they only appeared on my (1.0.10) installation when I changed the configuration.php file owner to nobody. The details are below for those who want to know more.

From results in step 4) it looks to me like Joomla can override the unwriteable status when the configuration file owner and group are nobody. How dangerous would it be to leave nobody as the file owner and group when the file is set to 444?

Would this be safe on a shared hosting environment?
-r--r--r--    1 nobody  nobody      2503 Aug  8 09:07 configuration.php

Regards,

William


---------------------------------
Joomla 1.0.10

1) when permissions are:

-rw-r--r--    1 myftp_id myftp_id 2503 Aug  8 09:07 configuration.php

Joomla -> Global Configuration says:

configuration.php is :  Unwriteable


2) when permissions are:

-rw-r--r--    1 nobody  myftp_id 2503 Aug  8 09:07 configuration.php

Global Configuration says:

configuration.php is :  Writeable    | |  Make unwriteable after saving

If I tick the  box 'Make unwriteable after saving?' and Save ...

permissions become:
(ie the 'w' permission is removed as would be expected)
-r--r--r--    1 nobody  myftp_id 2503 Aug  8 09:07 configuration.php


3) when permissions are (ie after above step):

-r--r--r--    1 nobody  myftp_id 2503 Aug  8 09:07 configuration.php


Joomla -> Global Configuration says:

configuration.php is :  Unwriteable    | | Override write protection while saving

I tick 'Override' box and try to Save...
An Error Has Occurred! Unable to open config file to write!


4) when permissions are:
(same as step 3 but group owner in now also set to nobody)

-r--r--r--    1 nobody  nobody      2503 Aug  8 09:07 configuration.php

Global Configuration says:

configuration.php is : Unwriteable | | Override write protection while saving

If I tick the Override box the changes are saved without error.

Permission on the filie remain the same so these settings work.


5) when permissions are:

-r--r--r--    1 myftp_id nobody      2504 Aug  8 09:25 configuration.php

Global Configuration says:

configuration.php is :  Unwriteable

This is not safe.  By chown/chgrp'ing configuration.php to nobody:nobody you are making it possible for pretty much any PHP/Perl/ASP/etc. script on the server to be able to modify your configuration.php file... needless to say, not exactly the idea situation.  I think the override file permissions option box is more idea for people in enviornments where suexec is being used and open_base_dir restricitions are in effect.  Meaning, only files that I own and are in this folder or lower can modify that file.  It is safer to an extent because as I said, only you and files on the server that are owned by you can modify the configuration.php file then. 

>I think the override file permissions option box is more idea for people in enviornments where suexec is being used and open_base_dir restricitions are in effect.

Right, I think I get it now. File permissions rather than owner permission is the way to go. Many thanks for that, Rob.

Cheers,

William

Hi,

  Thanks for all the information from seasoned contributors. I'm hoping to get to a definitive setup for those of us who have ssh access.

  One rather basic question first about users and groups. The standard use on unix machines, I believe, is to set up a group - say 'developers' and then have a number of 'users' within that group.
  What seems to be suggested here with regard to Joomla folders and files is not to use groups in that way.

  I.E. in my example where the user is created via CPanel as say 'fred' the account has fred:fred as the user:group
  Say Apache is being run as 'nobody' then looking on my system the user:group is nobody:nobody
  It seems I can, in effect, treat the user and the group privileges on a file or folder as two alternative 'users'. This would only be the case if there are no true groups - as i've described above. Is this really so?

  If I want a component such as eWeather or an RSS feed to work it has to be writeable via Apache, but it looks as though I can achieve this by setting the group attributes to read & write. So all of the files and folders will be owned by 'fred' and some of the folders and files (only those necessary for components such as eWeather) would have the group changed to 'nobody'

e.g. foldername drwxrwxr-x fred nobody
      filename      -rwxrw-r--      fred    nobody

Any thoughts?

Regards,
Chris

Hi. I'm a new Joomla! user and have been having some problems with file permissions. I inherited a site that was build in Joomla! and my client wants to put more images on line. The image gallery is set up using Zoom, so I sized thumbnail and viewsize images and FTP's everything yo to the server. I then attempted to scan the directory to add these images to the site database. Images were duly scanned and came up with previews. When I told Zoom to 'upload' I got an error back pointing to two specific files in Zoom as follows:

-- failed to open stream: Permission denied in /components/com_zoom/lib/UnixPlatform.class.php on line 40 and
-- No such file or directory in /components/com_zoom/lib/toolbox.class.php on line 335

After reading this post, I chmod'ed the permissions on these two files (on the server) from 644 to 777 (all read/write/search) and tried again...

...and I got exactly the same result.

I'm hoping that someone out there might be able to shed a little light here!! 

Thanks in advance, MIKE

It looks like you cut out parts of the error message, what was the whole message?

Hi Rob. Rest of message was path to file from login onwards. Didn't see it a being relevant in this instance but the full path is:

Warning: copy(/home/pinkfloy/public_html/J/images/zoom/NZ-2005/nz2005_021.jpg): failed to open stream: Permission denied in /home/pinkfloy/public_html/J/components/com_zoom/lib/UnixPlatform.class.php on line 40

Warning: getimagesize(/home/pinkfloy/public_html/J/images/zoom/NZ-2005/nz2005_021.jpg): failed to open stream: No such file or directory in /home/pinkfloy/public_html/J/components/com_zoom/lib/toolbox.class.php on line 335

As I'm trying to upload about 100 images, it happened once for each image and ended with:

"0 media uploaded succesfully!"

Make sure the directory "/home/pinkfloy/public_html/J/images/zoom/NZ-2005/" is world writable (777).  That is probably what is causing the problem.

My Host has recently Chowned my sites to my user names which has removed all problems as far as bad file descriptors and permission setting.

When I set file permissions in Joomla global config should that recurse through the whole site? This does not appear to be happening....I am clicking the check box to change existing...What is the best method for setting file and folder permissions?

Cheers

Bump - Anyone have tips on the above post?

FireFrog....

If your Host set the Owner of the Files (not group) to something Other than the Apache Name, then no the Admin screen Permision Change attempt will not work.


If they Changed the files to your FTP ID (which is the BEST thing to  do) then you will need to use an FTP program or your Hosting Account Control Panel > File Manager to set Permisions.

Call them and ask what user Name they set em too...

They CHOWNED to my account user names.
So if I go to FTP How do I set files to 644 and then folders to 755. Using Smart FTP it seems that I can make one permission 755 or 644 recurse through the whole site. Can I tell it to do files and folders separately?

Hi Firefrog.

I beleive you should be able to with Smart FTP. I can with FlashFXP by adding a comma like example below.
Create a few test directories and files and try it out first. Otherwise see if there is anything in the help files.

I hope this helps, cheers, Ian 

CHMOD ftp permissions for folders and files:
-------------------------------------------------
755,644

So how can Joomla recognize the new template you just installed ? 

Just edit these lines in the templatedetails.xml:




My Template
6/1/06
Your Name in Lights
GNU/GPL
    info@someplace.com
    http://www.someplace.com
1
Some Description


Actually think you just need to change NAME but the rest just help see details about it.

I'm having permission problems. I had my site moved over using the c-panel and now all of my files are unwritable even though I used the command "chmod 775 -R *" for all directories. When I go into the joomla control panel -> "system info" I see this:

administrator/backups/ Unwriteable
administrator/components/ Unwriteable
administrator/modules/ Unwriteable
administrator/templates/ Unwriteable
components/ Unwriteable
images/ Unwriteable
images/banners/ Unwriteable
images/stories/ Unwriteable
language/ Unwriteable
mambots/ Unwriteable
mambots/content/ Unwriteable
mambots/editors/ Unwriteable
mambots/editors-xtd/ Unwriteable
mambots/search/ Unwriteable
mambots/system/ Unwriteable
media/ Unwriteable
modules/ Unwriteable
templates/ Unwriteable
Cache Directory /home/yourchil/public_html/cache/


How can I go into the control panel and change this?
Also, who can I pay to get this site set back up correctly, I have a backup to use.


Quinton
qneal78710@yahoo.com