The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 16 posts ] 
Author Message
PostPosted: Wed Mar 25, 2009 6:15 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 20, 2007 11:13 pm
Posts: 39
PROBLEMS WITH LOCAL LINUX INSTALL
I'm trying to setup a new test site on my local workstation and I keep running into errors related to insufficient access-rights (aka "ACL" or Access Control Lists). I've been reviewing the "Installation Guide" and the Documentation wiki and this forum, too, but I haven't found anything that clearly summarizes what's going on. Instead, the Install Guide says something along the lines of "At this point we assume you have everything setup properly." Gee, thanks...

MY SETUP
- Joomla 1.5.9, installed to default Apache site in /var/www
- Ubuntu 8.10 (Desktop, not server)
- default LAMP setup (via 'tasksel install lamp-server' command)
- Apache 2.2.9
- MySQL 5.0.67
- PHP 5.2.6

ACL TWEAKS SO FAR
Just to get through the initial install I had to make the following changes:
- chmod g+rw /var/www
- chmod o+rw /var/www
- chmod o+rw /var/www/tmp
- chmod o+rw /var/www/templates
- added myself as a member of group 'root'

Note: I haven't used the "-R" option (to apply the ACL to all sub-folders) because I'm trying not to totally nuke the original security of the site.

QUESTIONS
  • If I install "XAMPP" for Linux will my OS automatically maintain it, i.e., install updates? If I install Ubuntu's "lamp-server" then it does.
  • Is there a summary of needed ACL changes for a generic Linux install of Apache, MySQL and PHP?
  • What login or 'context' is the Joomla app running under? I think it's "www-data" but I'm not sure.
  • Should I add "www-data" (or whichever account) as a member of the "root" group?
  • Or, should I change the Group for the entire /var/www folder (plus subs) to "www-data"? (This would be instead of my current workaround, adding read-write access to Other, which seems like a gaping security hole.) Or, would that Group change fsck Apache somehow?

Thank you for any help. Worst case, I'll just make the whole thing read-write... and then never expose it to the Internet!
***** Manual signatures are NOT allowed *****

(updated 3-26-09)
SOLUTION
http://help.ubuntu.com/community/Joomla


Last edited by sdsalsero on Fri Mar 27, 2009 12:20 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Mar 25, 2009 10:02 pm 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Sun Oct 22, 2006 4:42 am
Posts: 9352
Location: Sunshine Coast, Queensland, Australia
Default permissions "UMASK" for Linux provides for directory and file ownership to the user that creates it, with modes of Directories = 755 and Files = 644, which only gives the directory/file owner "Write" permissions, hence the web-server (running under another user) only has read/execute modes set. This is the root cause of your problem.

In normal hosting environments, this is added to by PHP running as an Apache Module, not as a CGI or under phpSuExec control, which allows the web-server to utilise the accounts owners credentials, thus acquiring rwx (7) mode.

Please search the forum and wiki, there is a whole host of information regarding this topic, also the wiki ( http://docs.joomla.org/Security_and_Per ... issions.3F ) contains a vast amount of information also.

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/


Top
 Profile  
 
PostPosted: Thu Mar 26, 2009 12:14 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 20, 2007 11:13 pm
Posts: 39
Russ,
Thanks for replying but this didn't actually help me. I already know the permissions are wrong :) Are you saying I need to edit my system-wide umask, or is there a setting specific to Apache (or PHP) that you're suggesting I change? I've tried searching the forums but I must be using the wrong search terms? I just now re-tried searching the Installation forum(s) for "umask" and only found 3 hits (including my own post here). Most of the posts seem to advise setting all-access, either across-the-board or as-needed.

Also, I believe my PHP install is running as an Apache Module.

Finally, the wiki doc you referred to just bounces me to several 'general' guides, nothing specific.

I'm still hoping someone can directly answer my questions, e.g. is there a consolidated list of permissions (and new umask?) that need to be changed.
***** Manual signatures are NOT allowed *****

UPDATE: Actually, this one comment may explain all my problems,
"I dream of the day when Joomla uses safe directory permissions ..."
viewtopic.php?p=1591325#p1591325

UPDATE #2: this is probably one of the "whole host" of posts you were referring to,
viewtopic.php?p=1591791#p1591791


Top
 Profile  
 
PostPosted: Thu Mar 26, 2009 2:36 am 
Joomla! Guru
Joomla! Guru

Joined: Sun Dec 21, 2008 6:35 pm
Posts: 907
Location: USA
The umask is a key part of the control over Linux permissions. The umask does what it implies. It blocks certain specified bits from being used when a broader permission is requested.

For example, a umask of 022 set before a permission of 777 is requested results in 777 - 022 -> 755. Then why not set the umask to 000? Having everything at 777 is asking to be hacked!

I am assuming Gentoo Linux here, Linux is Linux, but what is customary seems to vary with the community.

umask can be set as a default at a global level, a user level, and a service level.

/etc/profile is one global. Here is an excerpt:

# 077 would be more secure, but 022 is generally quite realistic
umask 022

You can run ftp as an extended Internet service (xinetd.conf) or as a stand-alone process (daemon). The former is the most common on Gentoo.

An excerpt from /etc/xinetd.conf gives some clues.

#
# This is the master xinetd configuration file. Settings in the
# default section will be inherited by all service configurations
# unless explicitly overridden in the service configuration. See
# xinetd.conf in the man pages for a more detailed explanation of
# these attributes.

# setup environmental attributes
#
# passenv =
groups = yes
umask = 002

You can think of the umask as working like cascading style sheets. The service and the user can overrides the global.

If you add your own umask to your .bash_profile, in your /home directory, then that is what is used for files you make.

One point that was being raised before, in the thread, was it is ideal to automatically use your permissions rather than having to open up the directories at all. That is what suexec or phpSuExec do. A sort of proxy concept. This is also what the Joomla ftp layer accomplishes, in effect.

I see sites with the web server user, say apache, set as the owner and the group. This is another way of solving the problem. This is how some apache installations work out of the box. This gets criticism as not very secure, since apache is just a regular user and not a potentially more secure root-level user.

To get your site up, the apache owner idea may be the easiest to understand and setup. After your site is running, you can tighten it down in a number of ways. The Joomla security FAQ's have several ideas, .htaccess, 444 permissions on configuration.php, hiding configuration.php, etc., etc. You can set the owner and group to root later as well.

chown apache *
chgrp apache *

is all it takes to use the apache owner and group idea.

Then, if apache is a member of group apache all the new files apache makes will have these permissions as well.

dpminusa


Top
 Profile  
 
PostPosted: Thu Mar 26, 2009 4:25 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Sun Oct 22, 2006 4:42 am
Posts: 9352
Location: Sunshine Coast, Queensland, Australia
OK, lets start with some basics, it would appear that you are not particularly well versed or experienced in "Systems Administration" so you may find it easier to initially use somehting like WAMP, MAMP, LAMP pre-built localhost/sandbox solutions rather than attempting to run your own server, or as this is just a localhost server and not publicly available on the internet, then the simplest method is to just elevate the permission on the top level directory and those directories listed in the Joomla! System test area to 777, or 775 and thenchange the group to the Apache user process.

Otherwise, these might help clarify the slightly more complex comfiguration required for professional hosting and secure Administration environments.

http://joomlatutorials.com.au/joomla-ti ... ation.html

http://joomlatutorials.com.au/joomla-ti ... uexec.html

Hosting in the "real world" is not as simple a process as it would initially appear, there is a lot of Systems Administration and Security Administration involved, not to mention application, performance and multiple-user or identity management....

Hopefully, these give you some idea where to start

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/


Top
 Profile  
 
PostPosted: Thu Mar 26, 2009 11:28 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 20, 2007 11:13 pm
Posts: 39
RussW wrote:
OK, lets start with some basics, it would appear that you are not particularly well versed or experienced in "Systems Administration"

That's funny! I think I'm asking pretty specific questions (which aren't being answered). I think I demonstrated in my very first post that I know how to fix these access problems in an 'undisciplined' manner. Since then all the responses have been 'Access Rights 101' instead of the 'Joomla Security Configuration Checklist for non-XAMPP Servers' that I was looking for. Actually, judging by all the responses that ignore my previous posts (e.g. "I assume you're on Gentoo Linux", "just elevate the permission ... to 777", "you may find it easier to use ... LAMP pre-built") I really think my posts aren't being carefully read.

P.S. Yes, I was offended by your comment that I am "not particularly well-versed or experienced." I'm a senior network admin with lead responsibility for writing my firm's Internal IT documentation. So I was more than a little miffed when I saw the official Joomla "Installation Guide" start-off with "we assume you have AMP configured properly..." What a frickin cop-out.


Top
 Profile  
 
PostPosted: Thu Mar 26, 2009 11:37 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 20, 2007 11:13 pm
Posts: 39
P.P.S. You don't need to reply, I'm just gonna grant full access-rights (then never put it on the Internet). I'd previously setup a non-profit Joomla site through a dedicated hosting provider and never had any of these access-right probs, so I'll just assume that I won't have any such probs if/when I recreate this test site online. Of course, I'm probably going to investigate other CMSes at this point, too.


Top
 Profile  
 
PostPosted: Thu Mar 26, 2009 11:58 pm 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Sun Oct 22, 2006 4:42 am
Posts: 9352
Location: Sunshine Coast, Queensland, Australia
@sdsalsero

I am sorry to read that yu are not happy with the responses that your initial post has received and certainly had no intention of offending you, regardless of of your current skills, experience and abilities within the Neworking World. I wish you luck with your current project and any endevours in the future.

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/


Top
 Profile  
 
PostPosted: Fri Mar 27, 2009 12:17 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 20, 2007 11:13 pm
Posts: 39
Success!
http://help.ubuntu.com/community/Joomla

It clearly lists different ways to configure the access-rights. I'll probably contribute some additional notes now, too, e.g. using the Ubuntu-standard 'tasksel' to add AMP.


Top
 Profile  
 
PostPosted: Fri Mar 27, 2009 1:46 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 20, 2007 11:13 pm
Posts: 39
sheesh, and now I found another (local) post,
viewtopic.php?t=121470

It's in the Archive section, though, and it's (again) mostly Admin 101 rather than direct documentation. Compare it to the clear and concise summary in the Ubuntu doc I referenced before, https://help.ubuntu.com/community/Jooml ... s%20Rights


Top
 Profile  
 
PostPosted: Fri Mar 27, 2009 2:09 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Sun Oct 22, 2006 4:42 am
Posts: 9352
Location: Sunshine Coast, Queensland, Australia
I am at a total loss here..... The information either described in the thread or provided links throughout this thread pointed you at several different options to resolve your issue, all of which answered the points made about permissions modes and ownership.

The ubuntu document shows you a "work-around" for inadaquate server configurations, by changing the directory ownership to the web-server process user. Of which, was already described to you by both dpminusa and myself. The directories listed in this document are also listed during the Joomla! Installer process and in the System Informaiton in the Administration area of Joomla!

I am nit sure quite where else, or what else could have been done to assist you, without actually doing the work for you ourselves.

[edit] Apologies for the after edit.... Please also be aware, the ubuntu document is based on J! 1.0 and some fo the directory structure has changed in J! 1.5

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/


Top
 Profile  
 
PostPosted: Fri Mar 27, 2009 2:16 am 
Joomla! Guru
Joomla! Guru

Joined: Sun Dec 21, 2008 6:35 pm
Posts: 907
Location: USA
I may have misunderstood the intent of your thread. I interpreted it as a collection place for ideas on the topics of LAMP permissions and related information. I thought that was a great idea.

Can the thread be interpreted that way?

I was going to add some specifics on how the umask is changed for FTP, APACHE, and the Extended Internet Services System (xinetd). This information seems to be a bit obscure.

Some users will not have the resources to set these. At least they will know what to look for, if they have problems that seem related.

dpminusa


Top
 Profile  
 
PostPosted: Fri Mar 27, 2009 2:23 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Sun Oct 22, 2006 4:42 am
Posts: 9352
Location: Sunshine Coast, Queensland, Australia
The document wiki would probably be the best place to contribute that sort of informaiton mate.... then it can be easily reference from all Joomla! entities (forums, docs, blogs) etc

Thank you for your contributions, much appreciated.

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/


Top
 Profile  
 
PostPosted: Fri Mar 27, 2009 2:44 am 
Joomla! Guru
Joomla! Guru

Joined: Sun Dec 21, 2008 6:35 pm
Posts: 907
Location: USA
OK. I think this thread is productive. Perhaps if it continues we can make that the focus of the additional posts.

The Forum is always a learning experience for all involved, as it should be.

dpminusa


Top
 Profile  
 
PostPosted: Fri May 01, 2009 2:09 am 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Apr 30, 2009 12:36 am
Posts: 1
Location: Orlando, FL, USA
This post completely resolved my issue that I was having my Joomla! install on my Ubuntu box. I pointed me in the right direction. Thanks!


Top
 Profile  
 
PostPosted: Mon Jan 10, 2011 4:17 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Sep 10, 2009 11:17 am
Posts: 10
Let me start out by saying I am new to linux and joomla. I can do the basics in linux and can maintain the Joomla pages that were created by a former employee. I need to change the settings so that when I upload a module thedirectory rights are "rwxrwxr-x" or 775. My system currently defaults all module installations to "rwxr-xr-x" and the user is www-data. I need to beable to use WinSCP and login as myself to make changes as needed. I am part of the user group for www-data, but without "group rights", I can't make the changes I need. Where to I go and set the umask value. I have tried to set umask in profile to 0002, but it doesn't work in WinSCP.
Thanks alot for your help.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ] 



Who is online

Users browsing this forum: No registered users and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group