The Joomla! Forum ™

Hello,

Can someone confirm if this is the proper way to perform setting permissions on Joomla 1.5. The installation step is obviously different than that of the previous versions and can not find straight answer on the documentation and forums.

1. I was able to install and populate my new website on my local machine. All directories have write permission so I didn't need to set up permissions.

2. I then deployed the site to a live internet site. Installation was successful

3. I logged on to the administrator back end; clicked on Help > System info and then Directors Permission tap.

4. Using my ftp program, I made all the listed folder Writable at 777

Is this correct? I burned my fingers having the wrong permissions before...

Please help.

Setting all files and folders to 777 is an invitation to get owned. You are giving read, write, and execute to everybody - that includes your configuration.php file. If you truly have 777 and no other methods to block people, anyone can read your config file and get your settings and hijack your install (and server).

I browsed the various J! docs on security and permissions and came up with my own scheme which *seems* to work. I am still tweaking it.

I set ownership of all files and folders to a user who is root level.

I set the group on all files and folders to the user my webserver runs as (not nobody).

configuration.php chmod'ed to 440.

Most every file and dir set to 755.

Images dir set to 777. This is the only one set to 777.

File and directory ownership is a very simple concept but quite time-consuming to get perfect. Keep in mind your webserver process needs to be able to read and execute most files and directories. Think about what files and directories it does and does not need to write to: whatever is being done by a "user" on your site is actually being done by your webserver (e.g. uploading images your webserver needs rwx). Then think about what files and folders it only needs to read (e.g. your configuration.php, except when making global changes).

If needed I can provide more detail and like I said I am still tweaking to get it right.

Crooz please share your insights. Thank you.

With Joomla 1.0.x the installation wizard checks your permissions on the first pages. With the new Joomla 1.5 you do not see permissions until you log on the admin pages.

My question:

1. Can I keep my configuration.php unwritable since the site is installed and working perfect?
2. Why would I need to make all the list of folders on the Permissions Page writable?

Thanks again

Hi Jlang, I'll try to write more this evening but will address your questions:



Yes, that is a good idea. It's a bit of a pain but I will change mine to rw-r----- (640) when I need to make a change, then immediately change it back to just r--r----- (440).



You don't. I am still trying to figure out exactly what permissions are required on all files and folders to achieve maximum security and 100% correct operation. But it is safe to assume not every folder has to have write - the trick is to figure this all out. Perhaps when I do I will post my info.

I am paranoid for a variety of reasons but mostly b/c my server was hacked/rooted a few years ago. Badly. Thankfully we had backups but it was still a 16-hr job to restore and fix.

Thank you so much crooz. I look forward to your post.

In my case I always gave the list of folders (the ones on the installation check page) all 777. I guess I am a sitting duck

Regards

J Lang.

Once installed all folders generally should be set to 755 and all files set to 644. configuration.php should be made unwritable at 444.

hth

Andy

IMHO you need a basic understanding of Linux user, group, and security permissions in order to set things up right. I've read a lot of posts here and elsewhere where people go to insane lengths to secure J!, but have glossed over the basics.

The Apache webserver runs as a user, if you do not have root access to your server likely your host has set this in the httpd.conf file. The easy way to find out the user of your webserver is via command line:

ps -ef | grep httpd

That will output the apache process and to the left will be the user: it will likely be apache, nobody, root, etc. A good server setup will have it running as an isolated user such as apache whose only real access is to the httpd process and config and log files.

Once you figure out who your webserver is running as, you need to give this user access to your J! files: the webserver is the one who reads, writes, executes all scripts and files and tells the person's browser how to render the output. So at a minimum, your webserver user will need read access to everything in J!; and will require execute on most everything; and will require write on a subset of folders and files. (This is the part I am still trying to work through.)

Now, people access your website through their browser, which sends the http requests to your server, which apache acts on and sends html back to the user's browser.

If you give 777 to all files and folders, you are giving the webserver AND every user full read, write, and execute on everything. This is a Bad Thing.

Folders like /images and /cache do need 777 so that people using your website can read, write, and execute: for example, uploading and viewing a picture. If you took any of the permissions off /images, noone could either view (read), save (write), or upload (execute) anything in the directory.

Back to the case of the root J! folder and configuration.php: IMHO your webserver should only be able to read the config file, and you should manually change it to write, then back to read-only, when necessary. This file should never have execute rights.

There is a hierarchy to permissions as well. There's tons of great explanations on the web, but to summarize: folder permissions should be set properly first, then file permissions.

If you were to, for example, set your root J! folder to 640 and set all files underneath to 777, your site will be broken. The folder permissions sort of take precedence: the webserver will look at the root J! directory permissions, then any subdirectory(ies) it needs to access, then lastly at the file permissions. If any permission is set incorrectly in that path to the actual file, mayhem ensues. Conversely, setting everything to 777 means there are no restrictions to what can be done.

And therein lies the problem: figuring out exactly what the webserver needs to read, write, and execute to properly serve your J! site is the most fundamental issue that has to be addressed and set. From there, additional security measures can be put in place (and there are tons available).

Sorry for rambling, still having my morning coffee.............

Thank you crooz for your insight. Thank you humvee.

Could this be a rule of thumb: The images folder only is set at 777. When installing a new component or module, I shall reinstate the permissions. As soon as the installations are done, I shall set all folders and files to 644?

Regards

Here's an issue I'm having. I have a user with group root,www,http. I have the folders and files set to this user but when uploading via ftp a zip,with this users credintials, I get an xml error so then I have to change the permissions using a recursive switch to all files. After that I do an install with the XML path which installs because I have write permissions on everything but then those new files need the permissions change to see the results in the admin console. I was under the assumtion that the upload/install would use my credintials to upload and install but it only seems to be using them for the upload and setting system permissions to those new files. Where might I be going wrong.
All: Folders 755, Files 640

I had been wondering about that when I went in the backend to enable statistics. It said "configuration.php" is unwritable so I could not enact that change. I wondered if there was a SAFE way to make this more convieneint than having to go in (via ftp) to change the permissions on configuration.php to 777 for the sake of making the change in the backend, and IMMEDIATELY securing it back to its normal permissions once the change is done.

Is running the web server yourself a better option for security?

I thought outsourcing to hosting company was a good idea until I got hacked several times. Who knows I might do a better job and learn thing or two along the way

Regards
J. Lang

Most hosting companies have better security then you may be able to supply yourself as far as back-up servers, building security, electrical backup, etc. I think you just need to find a hosting company that allows the user more server access then you seem to have. Most hosting companies will allow you to set the permissions for all your files and folders to whatever you want.

Just my opinion though.

_________________
Larry Hamilton
http://www.AmityWebs.com