Joomla! Discussion Forums

During my install, all of the files at the bottom of the pre-install checklist were UNWRITEABLE, these errors only went away if I chmod'ed them to 777 (755 and 775 would not do it). The files are owned by my username, so this was very weird.

My question is, what are the correct permissions now that everything is installed? I can't remember which files I chmod'ed. Is there a directory structure with the recommended permissions available? Or is there a magic button that fixes all permissions for security holes?

Also, it is my understanding that if you want to change the global config, you need to chmod to 777, make changes, then chmod back to 644, is this correct?

Finally, is there a guide out there that shows how to customize the site to the look you want?

I can't believe this has been read well over 300 times and a moderator (or even a user) has not replied with either the correct information or a link to an existing thread if there is one, or a link to a Joomla page with the information. Sadly this information should have been in a readme file with the distribution, but is not. Sure my Joomla is installed, but I did a search for permissions and came to this thread and many readers and no responses. The moderators at the very least should have replied to such a basic and fundamental concern.

Permissions have been covered a lot of times on the forum. When copying Joomla to your webspace, the FTP user will receive ownership of files and directories. When installing, the Apache user will run the Joomla process. This user isn't the owner of the filed which got FTP'ed, hence the unwritable errors. After installing, it is wise to change directories to 755, and files to 644. This will indeed mean for changes to configuration.php that you need to change to 777, make a change, save, change it back to 644. The same for installing components. Set the permissions to 777 for directories that the installation screens says to writable and install a component. Change all back to 755 after finishing. This is basically it in a nutshell.

I will give my setup. I run my own server and so I don't ftp. I chown'ed the folder and files to the same user that my apache runs as, then only changed the permissions to 755 to the folders and files listed in the install. Now I can install and uninstall components etc with out changing the permissions all the time and also without having to have them open with 777.

Of course this is not likely to be an option for people using a hosted service. Like the first poster here, just seems like there should be an FAQ section and/or readme me with the package on permissions and a few install senarios. Thanks for finally posting here though. Just seemed odd for so many reads and no replies to something so simple.

And this seems to be a good related thread as well.

http://forum.joomla.org/index.php/topic,26318.0.html

I'm confused as to what you are asking. In the above linked thread, you'll have to forgive the rjs guest. I came back reincarnated.

Permissions if you have root access are simple to work with. If you have a local linux box. No prob.
Maybe you can spell out what it is you are having issues with?

Tonie pretty much summed up what you need to do.

Thanks for this, very helpful.

Another question about this quote below:


If you change to the above, then go to "System Info/Permissions" in Admin all directories say Unwriteable which you said to do.

Why then does it say this (see screen shot attached) ?   ???:
Directory Permissions 
For all Joomla! functions and features to work ALL of the following directories should be writeable: 



Cheers, Ian

  BUMP

Just wondering about my previous post?

Should all the directories be writeable for all Joomla! functions and features to work ?

Or should they all be Unwriteable for security reasons ?

All of those directories should be writable if you would like Joomla to work at its maximum potential.  There are however, some strange things being said by some people on this forum with regard to file permissions that I would like to comment on.  One of which involves one thing that almost all of the people here have erred with.  A file does not need to have it's permissions set to 7 for owner/group/world to be able to write to it.  It only has to be set to 6.  A directory, however, must be set to 7 in order for owner/group/world to be able to read and write to it.  If you only want read access to a file, you can set it to 4, however, if you want a directory to have only read access, it must be set to 5. 

This may seem like nit-picking to some, but, it is important.  In order for an Operating Systems kernel to be able to do anything within a directory, including something as trivial as reading which files are in that directory, it has to have the execute permission.  This execute permission is what accounts for the difference in file/directory permissions (4 being read only for a file, 5 being read and execute from a directory.  6 being read and write only for a file, 7 being read and write and execute for a directory.)  The only files that need to have the execute bit set are applications and scripts.  PHP pages are not scripts in the normal sense, they are pages that are read and written to, but they just so happen to be passed through an interpreter along the way.

Furthermore, there are some things that may help your security situation if you are concerned with that, which at least some of you appear to be.  One thing to do is if you are in a shared hosting environment, like most basic hosting packages, ask your service provider to make your user a member of the group that apache runs as.  This will provide a small increase in security, especially if they only do this for someone who may ask for it, however, I don't know how most hosting providers would take this request.  What this allows for is for a slightly finer tuned permission setup, in which you can have files, such as configuration.php, writeable by your user, and the apache group (which would presumably be small), instead of being world writeable, in which case someone could wonder into your directory structure on a shared host, and modify your files because they are essentially open to anyone. 

One other possible option is the event that your hosting provider does not want to add you to the apache user group, is to ask them to chgrp (change group ownership) some files, again, such as the configuration.php file.  Then, you could set that file writeable for the group.  And you will still of course be the owner of it, so you will maintain total control over the file, except for which group it is in.  This will provide a similar security feature as the description above, with a slightly different implementation.  I think the one above is slightly more robust, and would allow you to implement this feature also (I think.) if you were to choose to.

This setup provides for a Joomla setup that will be feature rich, and will require little fussing with.  I can count quite a few times that I forgot to set my configuration file to be writeable before changing settings, only to lose all of the changes I made because I wasn't paying attention.  Not to mention, it will allow you to easily install new themes, components, modules, etc. with out any hassle.  Unfortunately, there are some definite security concerns due to the powerful nature of PHP.  It is a trade-off that must be addressed, one of convenience versus security, and the choice is not always easy, especially if you have multiple people making modifications to a site, and not all of them are very computer literate, at least not literate enough to grasp the concept of file permissions and such.  If you don't mind the inconvenience and extra steps, you could make the make the file and directory permissions more strict, but, I guess I am just saying you should way your options. 

I wouldn't consider myself an expert on security and PHP, but, I try to educate myself on these things as best I can.  But, to prevent break-ins and unauthorized file modification, keep as few files as possible group or world writeable (the second and third 66's, like 666 is bad.)  A directory, however, is not as much of a concern, yes, they may be able to write to the directory, but, they will not be able to write over or modify any existing file unless it is explicitly writeable.  And given the design of Joomla, it will not work with files unless it has been told to do so, meaning that it doesn't scan the components directory, and load every component it finds.  That would be bad for security.  Instead, you have to go into the Administration panel, and tell Joomla to install and load this component, or else, it won't do it, which is better for security. 

I think that is enough of that for one post, sorry if I am blabbering on.

Good Luck,
Rob S.

Wow, thanks Rob. A very informative post.

I have re read it a few times and still a bit lost. So by having those directories set to unwritable as in my screen shot (should be 755) the site should have the best security but some Joomla functions might not work ? I have tested it and seems to be fine for signing up to newsletter, etc.

I won't be installing any more components that I can see for sometime, so if all I need to do before modifing the site is make config file and some directories 777 (via ftp) to install a component and then change them back to 755 I am happy with that.

Am I right or have I got it wrong again? Thanks for your time.

This quote of yours ...

... how can someone write to a directory if they don't have the ftp password or access to Joomla admin?

Cheers, Ian

Sorry for not getting back sooner, it was the end of the day.

What the above post means is that Joomla! requires the read/write/execute on the listed files and directories to be used to it's full potential.

If you want to tighten security and are not using Joomla! to install modules, components, etc... You can alter the permissions to the standard 644 on files and 755 on folders. This is non-writable. If you then choose  to install a component or find something that is not working as you need, check your permissions again and set to writable.

Sadly, I also sometimes need sleep . RJS is totally right. Joomla will run normally with these settings. You just can't install new components/modules/mambots with these settings. If you want to install one of those, the installation screen will show you which directories need to be writable (only a few). Change those to 777, and you are able to install the component/module/mambot. If you are finished, you can change it back again. This requires some work, but you aren't installing new components a lot on production sites, but it is a lot safer.

Thanks for your replies Tonie and rjs.

Glad to know I'm doing it right.

Cheers, Ian

To address the last comment first, in a shared hosting environment with PHP at basically default settings and Joomla directories having chmod 777, I can use PHP to span out of my the directory structure and into your directory structure.  For example, most shared setups work something like this, such as with Plesk.  /usr/local/psa/home/vhosts/ and inside this directory are the directories for all of the clients on that server.  So, there will be client-a.com, client-b.com, your-domain.com.  Due to this, If I were client-a.com who happens to be up to no good, I could create a script that just writes a file a few directories down (simply by adding ../../your-domain.com/httpdocs/components) and, if directory (components) is set to world writeable (777), I can write to it all day long without anything every complaining.  This in itself, although may seem threatening, is not actually that big of an issue, as long as none of the FILES are world writeable.  Like I said, 666 on files can lead to very bad things happening in a shared environment. 

Now, in regards to your first comments, yes, if you don't plan on adding components or anything like that, you can chmod those directories 755 and Joomla will run perfectly fine because all of the content is stored in MySQL, not in the directories (which is why you can add people to the newsletter).  You just have to remember 6 months from now when you go to install some com_snazzy (or whatever), and it fails, that you remember what you did in the past, and how to change the directories back to their writable permissions. 

Good Luck,
Rob S.

I had a problem. I install components from the backend. But when I installed joom!fish, a little icon of this component was missing. This icon should be inside includes/js/themeoffice/. I have noticed that this folder is not in the list of the folders that should have premissions. So, how can i know what folders need to be chmoded? I'm afraid because there was no warning. So maybe i have components with missing files. Can anybody help me? Sorry for my english.

Wonderful post RobS! Never really did fully understand what all those permissions mean. I hope I got it down in my memory now.

I have no problems with setting permissions on cPanel or through FTP. I'm wondering, though, how do I set/reset file ownerships? Does this have any effect on the security of a site?

any errors, mispelling etc. I contribute to this being 2:30 and I am puking my guts out with some stomach virus. hopefully though there wont be many.

What I do (I am new to trying Joomla so this is all for other php cms's I have ran) is similar in that I chmod 644 files and 755 directories. But that is specifically because most providers run under a single webserver process-id (usually nobody, http, apache or web). Only turn on write bits after locking out my html directory via .htacess with a message of 'Maintenance Work', chmod the files necessary, make the changes, then chmod the files back and remove the lock.

The reason is that most mass defacements are able to occur on a single system (virtual hosted sites) because if the webserver process is allowed to traverse directories ( +x ) and write to files (+w) then one script can be used. For example:

apache:apache 755 /home/user1/html/
  apache:apache 644 /home/user1/html/config.php

If someones code is badly written for a site in /home/user2/html and php opendirectory restrictions are not in place or the then whatever bad code was executed on the server under the process id of apache has the potential to overwrite ../../user1/html/config.php simply because the apache process does have write access to the file.

Same goes if you give group write permissions for a file simply by being a member of the apache group (chmod g+w filename, chown apache filename).

What i tend to do at home on my server is to never have my website owned by or a member of the webserver process. Run with php in safe mode and opendirectory restrictions, user and group checks etc. But not everyone has that option. For those on shared hosts you may try this (I do this too simply because I am paranoid).

Create an .htaccess file and restrict limit file access to things like config.php etc or install directories based on your internet providers IP range (not your hosting provider) and based on a user id. Make sure your htpassword file (or whatever you call it) is readable (as the apache process needs to read it), but writable only by you and stored OUTSIDE your html directory. Make sure your htaccess file is also readable but writable only by your id and not the apache server id/group.

On a side note, you might look for providers that run apache with suExec (if php is installed as a standalone cgi, not usefull if installed as a module unless the provider provides cgi directories as well) and ModSecurity installed.

Also as most CMS's I have seen use the LAMP(LINUX) or FAMP (FreeBSD) installation method ask your provider how they treat mysql security. I have seen some setups that make me want to scream. For the most part for sites like these mysql should either be listening only to a local socket or if in a cluster, listening to the socket but with restrictions so that only the webservers can communicate on the mysql port on the mysql cluster (iptables and mysql permissions are your friend). Worse though is some lazy providers simply create the mysql user-ids with the necessary privs. This is bad what they should be doing is giving no access to the mysql userid for your website and then granting access based on the mysql::db table for your user id. This restricts a user to a specific database.

this thread should be a "sticky" - loads of great and important information. Makes the entire folder/file security issue a lot more easier to understand 

I agree with ThreeD... one more vote for the sticky.

There is a sticky about security that explains some of this allready.

With respect, it's difficutl to find and doesn't have the same information.  I have to agree that THIS thread should be sticky as well.  At the very least, put a link to the thread you're speaking of so when someone stumbles across this one they can also read/bookmark the other one.

Given the recent security outbreaks, was this ever made a Sticky? This is HIGHLY valuable.

In the post just above the references there is already a sticky...It would be helpful if you could list that for all us noobs.

Thanks

I will look into it later when I have the time, maybe tomorrow. Big threads as stickies are very confusing for a user, especially after not reading them for a while. I think the better solution is to create a reply to Hackwar's original post with the added information in this thread.

Ah - Good point. Thank you for the quick reply.

thank you

oh, geesh! That was months ago... who can remember what I was referring to waaaaay back then???  Hmph! Now, I gotta do MORE work.  Thanks alot....    Just kidding... If I remember correctly, I was referring to other sticky's already found here and how difficult it was finding this thread from the searches WE"VE all done regarding how to secure our joomla sites.

I wish some briliant developer would create a Joomla Security Check component. Now wouldn't that be cool?

With a subscription so that if there were security problems found the component and bot would automagically scan the Joomla install and mail the webmaster if his site could be considered ok or in trouble

Of course with 3rd party developers plugin option, thus including 3rd party developments in the scan

Funny you mention that...

We're nearly done with a product that does that. Does an price of $9.95 sound ok? -No joke.

That's what we're considering to charge for it. Yes - it is commercial licensed.

In addition, I have a book going to the publisher in a week or two that deals with this type of stuff..

Vscribe

Vscribe,

that could be very beneficial to the community.  Keep me posted!

apologies to the impatient but as a member of the still-in-shock-just-been-hacked-after-years-of-complacency-club I am still a bit unclear about the following.

I think I get the ownership stuff - even tho Joomla xplorerer indicates that my user owns everything, I actually don't because the apache user does. Hence joomla  gives me the big list of unwriteable folders.

I'm happy to work round this by
1. doing a manual install
2 changing appropriate folders to 777 when installing modules and components and then changing them back again (even tho' it's a pain & I live in dread of forgetting to change then back)

BUT what about frontend users - neither 775 nor 755 lets them upload files or images? I ain't doin' 777 no more!

However RobS & others seem to indicate that the following avoids the need to kepp chmodding and is a good option

"One thing to do is if you are in a shared hosting environment, like most basic hosting packages, ask your service provider to make your user a member of the group that apache runs as.  This will provide a small increase in security,"

whereas Guser (who was admittedly seedy when he wrote it) seems to suggest this is NOT a good idea

"If someones code is badly written for a site in /home/user2/html and php opendirectory restrictions are not in place or the then whatever bad code was executed on the server under the process id of apache has the potential to overwrite ../../user1/html/config.php simply because the apache process does have write access to the file.

Same goes if you give group write permissions for a file simply by being a member of the apache group (chmod g+w filename, chown apache filename)."

so is someone able to clarify. is it a god or bad idea & would it let front end users upload?


also from Guser is this a good idea?

"Create an .htaccess file and restrict limit file access to things like config.php etc or install directories based on your internet providers IP range (not your hosting provider) and based on a user id. Make sure your htpassword file (or whatever you call it) is readable (as the apache process needs to read it), but writable only by you and stored OUTSIDE your html directory. Make sure your htaccess file is also readable but writable only by your id and not the apache server id/group."

thanks everyone
Jill

I must admit that probably wasn't my most sound piece of advice as that line of reasoning was based on something else I was thinking about at the time.  (phpsuexec type systems)  Guser is correct it will not provide any real security advantage except in very rare and unlikely situations.  As for the .htaccess files to protect access to certain directories and files, yes, that is a good practice to have.  I specifically use .htaccess password protection on some of my sites for things like the Administrator login and other things that regular users should not be messing with.

Thanks Rob
I'm now using the suggested htaccess including register globals off

but how about my other query :
  "what about frontend users,  - neither 775 nor 755 lets them upload files or images?"

cheers
jill

ps would you need to edit that post in case folks start doin the apache user thing?