Files ownership en permission settings. Is this OK?

[jjonker]

Hi there!

I have been looking at the file ownership en permission of my joomla installations. I have read a lot of information and post on this site. I have to say it's not all very easy to comprehend, but I want to be as safe as possible from possible hacks so I keep trying to make things safer...

I would really like your comments (if any) on my file ownership en permissions for joomla. Just to make sure I'm not doing anything wrong and maybe to help others.

I have my own (virtual) server with root access. (Linux/apache with PHP as an apache module). No SuExec. Plesk.

I use a combination of WinSCP and Putty to access my server.

After installing and finishing building a site in Joomla I set all writepermissions of directories to 755 and files to 644. (Putty) Then I change the ownership of all files and directories to: owner=ftp-user, group=psacln (all Plesk ftp-users and web-users).

To make sure I can just Joomla correctly I make these exceptions:
1. '\cache' and '\session' dirs: owner=apache. Because apache needs to write to these dirs. (Cache only if I use Joomla cache)
2. '\images': Group=joomla. Joomla is a group I made thats has all the ftp-users that use Joomla PLUS apache. Because the owner is the ftp-user this user can upload images tot this directory. If I need to upload images through Joomla I change the directory permissions to 775. But only if this is necessary for the use of the website.
3. I use JoomlaCloner for backups. '\administrator\backups' dir: group=joomla, permissions=775. This way the component can make backups from the backend of Joomla (as apache) and I also can use a cron to schedule the backup. The cron is run as the ftp-user.

When I need to install components, modules, mambots or languages I temporarily set the needed dirs (incl. \media) to 777. After installing I revert to the original permissions.

Some component directories (for example upload/image directories for Virtuemart or FireBoard) may also need to be changed to usergroup 'joomla', because apache needs writing permission for these directories. Them I set the permissions to 775.

Maybe it is also possible to change the ownership of these specific directories to 'apache'. This way I can keep the permission settings to 755. But the ftp-user does not have writing permissions anymore when using FTP. But I'm not sure what is more secure...

Does anyone have any comments on this approach? Thanks!

[musiqcentral]

this sounds like "great security" to me....  i am in the same "situation" as you i have a VPS as well only difference is i have the usage of Plesk.... I just can't seem to get the sessions dir to be writable... I can't see the "root" dir (where the var/lib/php/sessions is in plesk (not sure why) but I am using ws_ftp to connect "like putty" I have set the sessions folder as writable 777 in ws_ftp....but joomla permissions say it isn't writable.... here is the verbage:


Session Directory /var/lib/php/session/
Warning: is_writable() [function.is-writable]: open_basedir restriction in effect. File(/var/lib/php/session) is not within the allowed path(s): (/var/www/vhosts/musiqcentral.com/httpdocs:/tmp) in /var/www/vhosts/musiqcentral.com/httpdocs/includes/joomla.php on line 2020
Unwriteable


I have found a topic at one point explaining the best and most functional chmodding but now I can't find it through search.... can someone enlighten me?



administrator/backups/ Unwriteable
administrator/components/ Unwriteable
administrator/modules/ Unwriteable
administrator/templates/ Unwriteable
components/ Unwriteable
images/ Unwriteable
images/banners/ Writeable
images/stories/ Writeable
language/ Unwriteable
mambots/ Unwriteable
mambots/content/ Unwriteable
mambots/editors/ Unwriteable
mambots/editors-xtd/ Unwriteable
mambots/search/ Unwriteable
mambots/system/ Unwriteable
media/ Unwriteable
modules/ Unwriteable
templates/ Unwriteable
Cache Directory /var/www/vhosts/musiqcentral.com/httpdocs/cache/ Writeable
Session Directory /var/lib/php/session/
Warning: is_writable() [function.is-writable]: open_basedir restriction in effect. File(/var/lib/php/session) is not within the allowed path(s): (/var/www/vhosts/musiqcentral.com/httpdocs:/tmp) in /var/www/vhosts/musiqcentral.com/httpdocs/includes/joomla.php on line 2020
Unwriteable




ok... i did it all "manually" in plesk... as i could not get the permissions to change... (logged in as root to plesk) hoping this wouldn't change the ownership to something not wanted.... and as the joomla system info say i am set like this... is this optimum security/usability or should the be something more...or less writable?

[jjonker]

Hi musiqcentral,

The (default) session directory is restricted to you because of the openbase_dir settings in PHP. This is what I do:
1. Create a directory in your webiste-root called 'session'.
2. Add to your .htaccess file in your website root-dir:

php_value session.save_path '/var/www/vhosts/domainname.com/httpdocs/session'

Maybe your path is different, but you get the picture...
3. Make sure this dir is writable to Joomla. (My first post in this topic...)

If you have root access to Plesk you might also have root access to your server? Is that case you can use tools like Putty or WinSCP (http://winscp.net) to change files/dirs on your server.

Usability and/or security: It's not the same thing... It's a balance between both. When Joomla tells you all dirs are unwritable your are pretty safe in terms of file ownership and permissions. But this also means you won't be able to install modules, components. mambots. templates or languages in the Joomla backend. If you don't need to: No problem. If you do need to install something you need to manually change some dirs and revert back after installation.

[musiqcentral]

If you have root access to Plesk you might also have root access to your server? Is that case you can use tools like Putty or WinSCP (http://winscp.net) to change files/dirs on your server.

Usability and/or security: It's not the same thing... It's a balance between both. When Joomla tells you all dirs are unwritable your are pretty safe in terms of file ownership and permissions. But this also means you won't be able to install modules, components. mambots. templates or languages in the Joomla backend. If you don't need to: No problem. If you do need to install something you need to manually change some dirs and revert back after installation.

i understand usability/security are not synonymous....however i was wondering if the usability is stil there... with my settings... and it apears my security will be ok am I correct?.... and putty... I have an issue with that...chmodding the files/directories.... i am not a unix guru... and well.. it was an issue thats all... i manually did all the chmods in plesk... so i guess thats allset anyway.... but will have to look at that sessions directory thing... I mean... if i look in putty...the direcotry exists... off the root dir... but not in httpdocs... is tis where I need to make the sessions dir... in httpdocs?






ok....created session dir.... added that php_value sessions path as directed into htacess.txt and joomla sysinfo stil says unwritable...





**Possible fix**

and i think i found the "error" in this part:

Session Directory /var/lib/php/session/ 
Warning: is_writable() [function.is-writable]: open_basedir restriction in effect. File(/var/lib/php/session) is not within the allowed path(s): (/var/www/vhosts/musiqcentral.com/httpdocs:/tmp) in /var/www/vhosts/musiqcentral.com/httpdocs/includes/joomla.php on line 2020
Unwriteable



see the colon in that line... is that supposed to be there?  (i highlighted the area i meant in red) and if not... where can i find that in joomla.php so i can edit it out?


also... i tried using the same data from htaccess.txt and making an .htaccess file.... and i couldn't login with my admin account into the backend... what would cause this? Therefore if it needs to be .htaccess instead of htaccess.txt then well.. i can't check the writability...and have no backendability... thus well.. you all know...it hampers me drastically....

[jjonker]

Yes, it has to be .htaccess. Not htaccess.txt. When you install Joomla this txt file is here to be used when you want to use the 'Search Engine Friendly URLs' setting for your site. (This can be set in your global site administration in the backend. If you use this option you have to rename the txt file to .htaccess as mentioned by Joomla in the little warning windows besides that option in the backend.

- Did you add the session dir to your httpdocs dir?
- Who ownes this dir? (Should be 'apache' and 755 because apache (server) needs to write to this dir.)

When you rename the file to .htaccess it read the line you added and starts using the mentioned directory for the session. If you get it wrong (wrong absolute path? Directory not writable?) you won't be able to login because Joomla can't generate a session for you. So you have to make sure you're doing it right...

I think you can also find more info about the session 'problem' in this forum...

Good luck!

[musiqcentral]

ok....chown'd it to apache.... and set perms to 755.... will attempt to add the .htaccess file to see... at least i know what to do to get rid of the problem if it messes up thanks.. standby 




yay!!!! the popcorn helped.... i did make a small error on the htaccess and mispelled my domain... but I got it now woot

Code: Select all

For all Joomla! functions and features to work ALL of the following directories should be writeable:
administrator/backups/	Unwriteable
administrator/components/	Unwriteable
administrator/modules/	Unwriteable
administrator/templates/	Unwriteable
components/	Unwriteable
images/	Unwriteable
images/banners/	Writeable
images/stories/	Writeable
language/	Unwriteable
mambots/	Unwriteable
mambots/content/	Unwriteable
mambots/editors/	Unwriteable
mambots/editors-xtd/	Unwriteable
mambots/search/	Unwriteable
mambots/system/	Unwriteable
media/	Unwriteable
modules/	Unwriteable
templates/	Unwriteable
Cache Directory /var/www/vhosts/musiqcentral.com/httpdocs/cache/	Writeable
Session Directory /var/www/vhosts/musiqcentral.com/httpdocs/session/	Writeable

here it is... anything else you think I should make writable?



and now that this works.. i have my ability to clear my cache... what does this do for me... is it just my admin cache...or does it effect users too???? when and how should I use this?????  Thanks... and I apologize for my noobness

[lvalics]

I suggest try to install mod_suphp and configure per domain. In this way the files uploaed via Joomla will get ftpuser:psacln rights and you can work with them. Also not need to be anymore 777 the folders.
See more on
http://www.web-hosting-control-panel-ad ... _Server/6/

Here you can see how to setup mod_suphp to work well on a PLESK server for Joomla, Drupal, or any other similar software. Hope this help.