Concrete permission question (which UNIX command?)

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
tijs
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 106
Joined: Mon Aug 29, 2005 7:59 pm

Concrete permission question (which UNIX command?)

Post by tijs » Mon Aug 21, 2006 9:51 am

Hi,

Often in this forum I have read that all Joomla files should be set to 644 and directories to 755. I also read that forcing this from the backend doesn't always seem to work properly. Hence, a quick question for people with Linux experience: which command should I issue on the command line? I've got root access to my server but I'm not 100% sure whether

chmod -R 755 *

and

chmod -R 644 *.*

is the way to go (from the root Joomla folder). I am confused about how you make the difference between files and directories. Wouldn't the first command chmod -R 755 * set all files to 755 too?

Any advice is welcome, I'd like to keep my server as secure as possible so I secured php.ini, globals.php, and followed all the other tips, so now I'd like to tackle the permissions and lock down everything as much as possible.

User avatar
jenscski
Joomla! Ace
Joomla! Ace
Posts: 1468
Joined: Thu Aug 18, 2005 6:58 am
Location: Tønsberg, Norway

Sv: Concrete permission question (which UNIX command?)

Post by jenscski » Mon Aug 21, 2006 10:00 am

You can use theese commands to set 755 on directories and 644 on files

find -type f -exec chmod 644 {} \;
find -type d -exec chmod 755 {} \;
Jens-Christian Skibakk
MMS Blog - http://mms.pipp.no/
Joomla! i Norge / Joomla! in Norway - http://www.joomlainorge.no/

tijs
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 106
Joined: Mon Aug 29, 2005 7:59 pm

Re: Concrete permission question (which UNIX command?)

Post by tijs » Mon Aug 21, 2006 10:14 am

Thanks! This is what I was looking for...

tijs
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 106
Joined: Mon Aug 29, 2005 7:59 pm

Re: Concrete permission question (which UNIX command?)

Post by tijs » Mon Aug 21, 2006 10:46 am

In case somebody is writing a FAQ on permissions, it might be worth adding what I do now to set my permissions:

find -type f -exec chmod 644 {} \;
find -type d -exec chmod 755 {} \;
chmod 707 images
chmod 707 images/stories
chown apache:apache cache

As far as I can see information on permissions is scattered all over this forum so it would be a good idea if this can be centralised and split up in several parts:
1) the normal FTP user on a shared host
2) the more experienced user who has SSH access

The commands above could be included in 2)
Last edited by tijs on Mon Aug 21, 2006 12:18 pm, edited 1 time in total.

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Concrete permission question (which UNIX command?)

Post by Beat » Mon Aug 21, 2006 11:59 am

Good hint. I'm using the modifications syntax ;) : e.g.:

chmod -R og-w directory

this is recursive and doesn't touch the "x" bit needed for directories. Small pitfall, it doesn't remove the "x" bit of files, if those aren't set correctly.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

zman818
Joomla! Explorer
Joomla! Explorer
Posts: 314
Joined: Mon Jun 19, 2006 5:54 pm

Re: Concrete permission question (which UNIX command?)

Post by zman818 » Thu Sep 07, 2006 6:42 pm

I threw a script together to handle permissions and ownership issues on a cron-basis. Nothing particular earth shaking, but its extensible and might be handy to someone..

It consists of a single script, a source file containing site directory paths, and two template files (one with 755/644 target paths, and the other containing 777/666 target paths).

For each path added to the source file (i.e.,  /home/site_a/public_html, /home/site_b/public_html) the script can:

1) Reset ownership for the entire tree to match ownership of public_html
2) Change all appropriate directories and files to 755/644
3) Change all appropriate directories and files to 777/666 (currently just standard Joomla and Virtuemart image directories)
4) Change cache folder ownership to the designated httpd user

This lets me muck around in a given production site and be sure that at some point in the near future all permissions will be reset.  By doing it on an individual directory basis (rather than chmod'ing the entire public_html tree), I don't unintentially change permissions on 3rd party apps that might be deployed. Instead, I can review permissions for those apps and add new  template files as needed (and extend the script to handle the new app type).

It's hackish, and written in perfect Dilbert non-ergonomic engineering-ese, but it works for me. Just thought I'd share. The sample sitelist file should be fairly self-explanatory  (format is path:option   where option can = joomlalock or ownerreset)

*PLEASE* play with this script in a nice, safe corner of the room until you're sure it works as you expect/desire.

EDIT - fixed an issue where the chmod 644 to the site root files was also setting the root directories to 644 as well  (oops.  :)  It now uses find to ID files in the site root only.

Regards,
Mike
You do not have the required permissions to view the files attached to this post.
Last edited by zman818 on Fri Sep 08, 2006 4:02 pm, edited 1 time in total.

tunin
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Dec 20, 2006 10:07 pm

Re: Concrete permission question (which UNIX command?)

Post by tunin » Tue Jan 30, 2007 8:18 pm

Hello, I know this is an old topic... but it looks helpful with what it has here-

I just need a quick direction on how  to use the script? I am having this problem but
and my host told me to find a script that will solve my CHOW problem? Plase HELP.

Thank you.

User avatar
jefe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Dec 25, 2006 9:42 pm
Location: United States
Contact:

Re: Concrete permission question (which UNIX command?)

Post by jefe » Thu Feb 01, 2007 9:36 am

Hi tunin,

Are you using shared hosting?  Unless you have root access, you will not be able to issue the chown command.  This is by design and your host should be able to reset your file owner for you.  If you are the owner through an FTP account, you can chmod files your FTP user owns, but this is time consuming.  If you do have root access you are better off using a single owner for all our web directories and getting rid of the world writable all together.  Of course this requires your Apache user account to be the owner of the files, which is how J! 1.0.x create/modifies/deletes files anyway.  This will change, (optionally) in 1.5 though.  My 1.75 cent.  8)

Good luck.

tunin
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Dec 20, 2006 10:07 pm

Re: Concrete permission question (which UNIX command?)

Post by tunin » Thu Feb 01, 2007 3:00 pm

Hi there, I do not have root access... it is a shared account and I did contact
my host, they did it for me one and after that they told me to find a script online
to do it my self next time. That was it. I was going to change the host as they
are lame with support but the account is pre-paid for 2 yrs. Is there anything else
I can do to change the ownership?

Thanks a million.

User avatar
jefe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Dec 25, 2006 9:42 pm
Location: United States
Contact:

Re: Concrete permission question (which UNIX command?)

Post by jefe » Fri Feb 02, 2007 12:14 am

Heh, well I understand shared hosting frustrations, been there.  Anyway, yes there is actually.  Ownership of files in *NIX is determined, unless by the creator, (unless the folder has special settings that force a different user:group...but that's rare).  Since this is the case, you should make a choice.  It will probably be easier for you to manage all files with your FTP user is you have a testing or debug server.  If not, I would say it would be easier to just manage everything through the Apache user.  Here is an example:

A few months ago I was having big problems with this, my host kept resetting my user:group to all my files to my FTP user and jacking up my J! install.  (I had no permanent testing server).  Well this was getting really annoying and I didn't like the idea of every component thinking it MUST have 777, for crying out loud that is ridiculous.  Anyway, so I finally got a decent test server set up.  I'm currently in South America so this server is actually just a VM running on my laptop which has an identical setup to my VPS.  Anyway, my connection is extremely poor here so I couldn't just re-upload my site or chmod all the files to 777 as this wouldn't solve the ownership issue. 

I thought about it for a while and that is when I realized the solution was easy.  To make the owner the apache user, as I wanted to at the time I took my site off line for a few minutes to move the directory with the FTP account and then copy the directory back with the apache user.  I was on shared hosting and did not have shared hosting so I had to use a script to perform this action.  It is pretty easy though. 

Basically if you move the folder to a subdirectory of it's root with your FTP user, and copy with apache.  After this is successful, now all files will be owned by apache:apache or whoever your apache user is and you an pull back permissions to 755, 644 for all directory files, respectively.  There are caveats to this, all files must be world readable if not already owned by apache, but this can be done through FTP.  Also, using the apache user has it's own risks, it assumes your host is responsible with how they handle multiple users and protecting the directory from malicious users that may be sharing the server with you.  Here is some info on scripts that could help you with this:

http://www.php.net/copy

Of course if you move hosts and upload by FTP then, that user will own all files.  One last thing, when I was still on shared hosting, I would just upload gzipped archives of my changes to the server by FTP (for larger files) and unzip with Apache, i.e. JoomlaExplorer.  This would also keep all files owned by the Apache user as the files are actually being extracted and created with the Apache user.  Good luck.  8)

tunin
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Dec 20, 2006 10:07 pm

Re: Concrete permission question (which UNIX command?)

Post by tunin » Fri Feb 02, 2007 12:23 pm

Thank you for this excessive explanation. I will try this technique and see what happens. The thing is, when owned by Apache I can't do jack sh... with FTP (copy, change or anything else), also, for the same reason I can make the joomlaexplorer to run as Apache
user (it only runs in FTP mode)...

What would I need to look for to chose the right host, I will most definitely switch.

Peace.

User avatar
allankayak
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Nov 01, 2006 12:40 pm
Contact:

Help!! total permission problem!!! site shut down!

Post by allankayak » Sun Feb 04, 2007 8:53 pm

Ok, now I am frustrated.
I have had my site up and running for a few months now, but it all just went to ##it!

http://www.riverkore.com/kore/ is the site

as you will see , it in not working right now.

I went in the admin backend and see that in the system settings all folders are not writable that should be!

I installed joomla via 'joomlastart'

I am on a shared server.

I have been very carefull to change any files and folder via joomlaexplorer, as I learnt before that if I used ftp I would upset all teh permissions or ownership

Anyway, I was working with my host to work out why a cron php file was 'access' denied' to my server, and I think the host has changed apermission, which seams to have upset  the whole ownership again!
NOW MY SITE DOES NOT WORK>

Any ideas?

I can still get on my backend and I see through joomla explorer that the permissions are still correct, 755 etc, but the ownership before showed 2 owners, www, on 80, and myusername on,3705

Now I dont know what to do.  I cant change any permissions via joomlaexplorer, only via FTP or my Vdeck admin,

Is there a way to get joomla system to use the server owned permissions?

Other wise what to do?  I can go set all folders to 777, but that is not such a good idea???

help???

User avatar
jefe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Dec 25, 2006 9:42 pm
Location: United States
Contact:

Re: Concrete permission question (which UNIX command?)

Post by jefe » Sun Feb 04, 2007 10:47 pm

Tell your host to do:

chown -R www:www /yourwebdirectory

Where www:www is your apache user:group.  Your host will know what these are, but you can double check it with Joomlaxplorer.  Under phpinfo screen, find this line under your Apache Handler (about a third down the page):

User/Group apache(48)/48

Let me know, 8)

Jeff

User avatar
allankayak
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Nov 01, 2006 12:40 pm
Contact:

Re: Concrete permission question (which UNIX command?)

Post by allankayak » Mon Feb 05, 2007 7:49 am

Thanks,

do you know, is there a way I can change ALL my files to my group / user, so that I can ftp etc files and joomla wil still work.

I have set up another site, with siteground, where the joomla core was installed by the server and all permissions have my username as the owner.  this seems to work fine.

Should I be able to download an entire site backup, then ftp all joomla files back up and have everything working.  I guess I am wondering how to do re-install a full site backup.  I do a full site backup every week, and a a joomla mod backs up the database every day.  so I should not have lost anything, just need to get it owned right.

?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Concrete permission question (which UNIX command?)

Post by RobS » Mon Feb 05, 2007 4:16 pm

I just thought I would throw this out here as well... I believe there is a FAQ on this issue that suggests a derivative of the find command for changing file permissions.  There is one caveat that I think is good to know, some OSs require a directory as the second argument to the find command.  Linux/FreeBSD/etc will take a directory as the second argument but if one is not supplied they will use the current directory.

Thus, for OS X servers, you will need to do something like:

find path/to/joomla -type f -exec chmod 644 {} \;
find path/to/joomla -type d -exec chmod 755 {} \;

Note: the FAQ: http://forum.joomla.org/index.php/topic,101838.0.html
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
jefe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Mon Dec 25, 2006 9:42 pm
Location: United States
Contact:

Re: Concrete permission question (which UNIX command?)

Post by jefe » Tue Feb 06, 2007 3:19 am

Well...I would say that depends. :)  Can you find out what user Apache is running as?  RobS is right about permissions, those commands are invaluable.  But you would still have problems on directories that Joomla! like to write to, if you owner for FTP is different that Apache.  Basically this is the best way:

1.  Use RobS example and get all your permissions the same.  For this to work, in a perfect world, your Apache user for your VirtualHost will be the same as your FTP user, therefore the owner is the same whether you install or upload a file through Joomla! or through FTP.  This is known as SUExec, a very handy utility in *NIX boxes for changing the user or a process, in this case Apache.  If this is the case, and your host will be able to tell you whether or not it is, then yes you will be fine with only 755, 644; this is the preferred method as well.

Unfortunately, when someone is controlling the server, using SUExec isn't always the case.  If this is the situation, here are your two options:

1.  Use a test server and only modify files locally, then upload changes through FTP.  This way you keep your FTP user for all files and folders, except of course for files & folders your users need to be able to change, i.e. for picture uploading or document sharing.  This way you can use the FTP owner for all files and keep the 755, 644 permissions for all folders except for those which Apache needs to make changes to, i.e. your cache folder or your images folder or something like that.  Because you will use your test server to install extentions and such, Apache doesn't need rights to write to these, only to read them.  For those folders that need world writeable, just use 777.  That's not the best solution, but it works.

2.  This is what I used to do when I was on shared hosting:  Keep the Apache user as the owner of all files, and maintain 755, 644 permissions for all resources.  When I made changes from on my test server, I would create an incremental tar archive of the changes and upload with FTP.  At this point the tar archive is owned by my FTP user, but using Apache I would unzip & untar the archive and overwrite and all files on the live site.  This essentially patched my live server with my changes and because Apache was the one doing the overwriting, the files were still owned by apache, thus 755, 644 were still valid. 

All three solutions will work, I have used them all.  Like I said, if your FTP and Apache user are the same, that is great, makes things much easier, and a little safer in my opinion.  The second option would be to do what most people do, just upload with slow old FTP your changes, keep your FTP user owner for all permissions.  But keep in mind you will need 777 for any folder you want Apache to write to.  So if you don't have a test server, then the recommend folders will all have to be 777, not a good options if you ask me, but there for compatibility.  Finally you could make Apache own all files and manage your server from the live site or a test server using tar archives to apply patches.  There are two problems with this method though.  First, if you server is not hardened properly, it is possible for others to use the Apache user to access and modify your files.  This is anytime you are on shared hosting and multiple users share a common account, like Apache.  Secondly, in my case, my genius host thought every few weeks they would chown -R all my resources back to my FTP user totally jacking up my users as they could no longer write to the images directory for photo uploads. 

That's my 2.5 cents.  Good Luck. 8)

Jeff McCoy

User avatar
ZenSpirit
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Oct 05, 2005 2:08 pm

Re: Concrete permission question (which UNIX command?)

Post by ZenSpirit » Mon Mar 26, 2007 4:59 pm

Hi all ...
when trying to run this script: clean.sh i get following error:
/bin/bash^M: bad interpreter

Any ideas whats wrong?
Thanks for any help,
ZenSpirit.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Concrete permission question (which UNIX command?)

Post by RussW » Tue Mar 27, 2007 12:10 am

Looks like the file has been open and saved as DOS ( see the ^M)  under unix try running dos2unix clean.sh  If you are running this script under windows then it is because you do not have the bash interpreter, it is a unix thing.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

illPhever
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Sun Dec 10, 2006 1:47 pm

Re: Sv: Concrete permission question (which UNIX command?)

Post by illPhever » Sun Apr 29, 2007 1:37 pm

jenscski wrote: You can use theese commands to set 755 on directories and 644 on files

find -type f -exec chmod 644 {} \;
find -type d -exec chmod 755 {} \;
thanks. this is exactly what i was looking for. i'm running freebsd and in my case for some reason i had to add a "." to specify the current directory, as follows:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

illPhever

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Concrete permission question (which UNIX command?)

Post by RussW » Sun Apr 29, 2007 1:41 pm

yup,  some Linux systems let you get away with not specifying, but OS's like MAC OS X and apparently freebsd, do not.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

karryberry
I've been banned!
Posts: 21
Joined: Wed Dec 19, 2007 10:36 pm

Re: Concrete permission question (which UNIX command?)

Post by karryberry » Wed Dec 19, 2007 10:44 pm

chmod -R 644 *.*
smile

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Concrete permission question (which UNIX command?)

Post by RussW » Thu Dec 20, 2007 5:05 am

karryberry wrote: chmod -R 644 *.*
This would cause problems on many systems and wold set incorrect permissions on some files and directories, the alreay suggested options would be a far better fix to provide file and directory permisisons modes.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: Concrete permission question (which UNIX command?)

Post by ewel » Tue Jan 15, 2008 2:08 pm

Frankly I don't understand much of all the above, probably because I am not familiar with shell access.

However I found a very nice little perl program that is easy to upload and use for changing file permissions. See
http://www.perlservices.net/en/programs ... ndex.shtml
http://www.perlservices.net/en/programs ... uide.shtml

It has a nice graphic interface and within moments I had everything set to 755. For the remainder I did not really understand the options but while my root directory is password protected I have a bit of time in relative safety to find an easy way to set all the files to 644, and I have not figured out yet whether this script can set all files to 644 and all folders to 755 at the same time. If not it would be nice if someone would combine this with the script posted by Mike (who seems to have been inactive for months now). Also it would be nicer if it had 'select all' and 'select none' buttons.

tragged
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Jan 16, 2008 12:29 pm

Re: Concrete permission question (which UNIX command?)

Post by tragged » Wed Jan 16, 2008 12:39 pm

ewel wrote: Frankly I don't understand much of all the above, probably because I am not familiar with shell access.

However I found a very nice little perl program that is easy to upload and use for changing file permissions. See
http://www.perlservices.net/en/programs ... ndex.shtml
http://www.perlservices.net/en/programs ... uide.shtml

It has a nice graphic interface and within moments I had everything set to 755. For the remainder I did not really understand the options but while my root directory is password protected I have a bit of time in relative safety to find an easy way to set all the files to 644, and I have not figured out yet whether this script can set all files to 644 and all folders to 755 at the same time. If not it would be nice if someone would combine this with the script posted by Mike (who seems to have been inactive for months now). Also it would be nicer if it had 'select all' and 'select none' buttons.

musiqcentral
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Tue Feb 05, 2008 11:51 pm

Re: Sv: Concrete permission question (which UNIX command?)

Post by musiqcentral » Fri Feb 08, 2008 4:22 pm

jenscski wrote: You can use theese commands to set 755 on directories and 644 on files

find -type f -exec chmod 644 {} \;
find -type d -exec chmod 755 {} \;

I tried this in the public directory while in putty... and nothing changed.... does something go inside the {} ? maybe something did change... but i look in plesk... and nothing did... i successfully was able to chown the cahce to apache.... but nothing else appears "changed"


Locked

Return to “Security - 1.0.x”