Directory Permissions

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
whitebirch
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Wed Oct 25, 2006 9:47 pm

Directory Permissions

Post by whitebirch » Sat Nov 10, 2007 1:30 am

For me to work on my site it seems I need Directory Permissions to be set to 777 on the directories I see in the Joomla Info.  Do I need to set these back to 744 when I am done working? 

whitebirch
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Wed Oct 25, 2006 9:47 pm

Re: Directory Permissions

Post by whitebirch » Sat Nov 10, 2007 1:38 am

It also seems that when I install an extension it wants its own directories to be open....  Isn't this a security issue?  I went to install extplorer and I had to open Joomla's directories and now I need to open extplorer's folders/files.  Do I really have to go back and close all these files/folders when I am done?  My ISP can do it via scripting, but I can't request every time I am done working.

whitebirch
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Wed Oct 25, 2006 9:47 pm

Re: Directory Permissions

Post by whitebirch » Sat Nov 10, 2007 1:58 am

And I noticed In the "back end" Administration view, go to Site --> Global Configuration --> Server doesn't exist in 1.5

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Directory Permissions

Post by RussW » Sat Nov 10, 2007 2:12 am

Please review the following FAQ's ASAP, you will find a wealth of information related to your issues.

  Security & Performance FAQ

The above mentioned FAQ will provide with more than enough information to assist you in further securing your sites.

Particular entries of note and to pay attention to, are;

  Joomla! Administrator's Security Checklist

  Joomla! Tools Suite
  How can I check my Joomla! installation's overall security and health?

  What does Joomla! have to do with file permissions?
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

whitebirch
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Wed Oct 25, 2006 9:47 pm

Re: Directory Permissions

Post by whitebirch » Sat Nov 10, 2007 4:46 am

Hmmm. I appreciate the reply, but I have read all that and every time I post a security question you post those links.  I am running 1.5 so the Joomla Tools Suite is not applicable... Am I correct? I don't read anything about why the change back to 744 when complete like 1.x had.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Directory Permissions

Post by RussW » Sat Nov 10, 2007 4:59 am

Server permissions are server permissions, regardless of Joomla! release installed.....  777 is wide open, anything less than that does not expose the server in quite the same way or quite as much. If you have read all the security information then hopefully you have a grasp on permissions and how they work, what they are for.....


There is now a JTS component that works with J! 1.5 but not the stand-alone version yet, this can be found on the Extension Site and on the JoomlaCode site, there is also a running thread for discussion regarding JTS.

The reason why I post "all those links" is because they answer many of the questions people have regarding Security, Permissions and Performance.

The default permissions in "most" Unix based Operating Systems that are considered "sane" and "normal" are

  Directories = 755  (not 744, this can cause some issues with search and mambots especially)
  Files        = 644

"Writable" means different things to different server configurations, thus can be anywhere from 750 through 777 for directories and 650 through 777 for files.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

whitebirch
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 183
Joined: Wed Oct 25, 2006 9:47 pm

Re: Directory Permissions

Post by whitebirch » Sat Nov 10, 2007 5:21 am

But Joomla says it needs 777 to be writable.  If I set it to 755 it isn't reading as writable.  I'll check out that JTS.... thanks for the fast reply.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Directory Permissions

Post by RussW » Sat Nov 10, 2007 1:15 pm

The Joomla! Installation WbUI and the System Information states "writable" not 777....  The exact mode required (anywhere between 755 and 777) depends on your servers configuration.

The fact that Joomla! only reports writable when you set 777 is due to your hosts chosen method of configuring their server.  If the host had phpSuExec installed then you would only need 755, and with suExec installed , you actually wouldn't be able to set 777 without the site erroring.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

publipoint
Joomla! Intern
Joomla! Intern
Posts: 79
Joined: Fri Oct 19, 2007 7:34 am
Location: Switzerland
Contact:

Re: Directory Permissions

Post by publipoint » Thu Nov 15, 2007 7:26 am

RussW wrote: The Joomla! Installation WbUI and the System Information states "writable" not 777....  The exact mode required (anywhere between 755 and 777) depends on your servers configuration.

The fact that Joomla! only reports writable when you set 777 is due to your hosts chosen method of configuring their server.  If the host had phpSuExec installed then you would only need 755, and with suExec installed , you actually wouldn't be able to set 777 without the site erroring.
Hi there!
Please let me post my own question regarding 777. With our host, we need to chmod folders 777 to install Joomla!. With 755, directories aren't writable. Can we chmod back to 755 after installing?
Michele Bugliaro Goggia
designer SUP in visual communication
http://www.publipoint.ch

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Directory Permissions

Post by RussW » Thu Nov 15, 2007 7:52 am

Yes you can chmod directories back to 755 following installation, but do remember, that some functions in Joomla! require "writable" (which in your case unfortnately does mean 777) So if you wish to be able to upload images to the images directory or install extensions randomly, then these directories need to be be writable, but following the upload or extension intallation you can reset them back to 755 again.

Its just a matter of Administration overhead.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

publipoint
Joomla! Intern
Joomla! Intern
Posts: 79
Joined: Fri Oct 19, 2007 7:34 am
Location: Switzerland
Contact:

Re: Directory Permissions

Post by publipoint » Thu Nov 15, 2007 8:39 am

RussW wrote: Yes you can chmod directories back to 755 following installation, but do remember, that some functions in Joomla! require "writable" (which in your case unfortnately does mean 777) So if you wish to be able to upload images to the images directory or install extensions randomly, then these directories need to be be writable, but following the upload or extension intallation you can reset them back to 755 again.

Its just a matter of Administration overhead.
Thanks! Do you think we are under hacking risk, with this setup?
Michele Bugliaro Goggia
designer SUP in visual communication
http://www.publipoint.ch

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Directory Permissions

Post by RussW » Thu Nov 15, 2007 10:43 am

No more or less than any one else,  there are always inherant security weaknesses in any server, configuraiton or software.

Please also review the Forum Rules and correct your signature.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
marjinalhakan
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Nov 16, 2007 5:31 am
Location: Turkey

Re: Directory Permissions

Post by marjinalhakan » Fri Nov 16, 2007 5:41 am

hi..

Joomla at the housing estate the security rate escapes against the attacks 8)

Work besides the everybody thankings ;)

Gerbs
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Sep 20, 2007 10:05 pm

Re: Directory Permissions

Post by Gerbs » Sun Nov 25, 2007 4:10 am

Using Joomla 1.5, what is the easiest way to set file permissions to 644 and directory permissions to 755?  Is sounds like the old version of Joomla had this capability on the server tab, but I don't see anything like this in Joomla 1.5. 

User avatar
muddauber
Joomla! Ace
Joomla! Ace
Posts: 1529
Joined: Thu Jun 08, 2006 11:26 pm

Re: Directory Permissions

Post by muddauber » Sun Nov 25, 2007 4:53 am

Thanks RussW, the information helps me with some troublesome work I have had
with Joomla installs on a BSD system (PAIR.COM) They do not allow
SuEXEC and require an install of a PHP CGI-Wrap script.

When I installed that my Joomla install now says I have my
Global set wrong and the Magic_quotes set wrong, even though
I added the required lines in my .htaccess file.

With these kind of issues, and the above questions related to
requiring to have files remain at 777, would you recommend going
to a more Joomla-Friendly environment?

Every time I install a module or component, the server sets the
owner to "nobody" and I can NOT modify or remove the file without
calling tech support.


Locked

Return to “Security in Joomla! 1.5”