Can i make the root user owner of Joomla files?

vasmed · Post by **vasmed** » Wed Dec 23, 2020 8:21 am

I log on to freebsd 12.1 by ssh with su root user. So when i unpack Joomla files they have the root owner.
I change folders "cache" and "tmp" to www:wheel. Is this correct? Or should i change all files owner to www:wheel?
Permissions are 755 for folders, 644 for files, and 444 for configuration.php.

Post by **pe7er** » Wed Dec 23, 2020 8:58 am

Permissions are fine.

I would "chown" all files + folders to the same user as the web server process (under Apache it's commonly www-data).
That way you can upload files via the Joomla website (because it runs under the web server user).

However, if you try to upload via FTP you might have issues because the FTP is usually under another user/group.

vasmed · Post by **vasmed** » Wed Dec 23, 2020 9:40 am

pe7er wrote: ↑
Wed Dec 23, 2020 8:58 am
Permissions are fine.

I would "chown" all files + folders to the same user as the web server process (under Apache it's commonly www-data).
That way you can upload files via the Joomla website (because it runs under the web server user).

However, if you try to upload via FTP you might have issues because the FTP is usually under another user/group.

what is more secure: root owner or www owner?
Can hacker change files or run script if all files + folders are www owner?
Why i need chown all folders to www, when i can chown only some folders?

Post by **pe7er** » Wed Dec 23, 2020 10:09 am

vasmed wrote: ↑
Wed Dec 23, 2020 9:40 am
what is more secure: root owner or www owner?
Can hacker change files or run script if all files + folders are www owner?

That depends on what permissions they have on your system.
As you know all folders + files have permissions for 3 kinds of groups: owner, group, public.

Why i need chown all folders to www, when i can chown only some folders?

If you want to be able to keep Joomla + non core extensions up-to-date (which is recommended from security point of view) then the webserver should be able to overwrite the files with the files it gets from the updates.

vasmed · Post by **vasmed** » Thu Dec 24, 2020 3:43 am

pe7er wrote: ↑
Wed Dec 23, 2020 10:09 am

vasmed wrote: ↑
Wed Dec 23, 2020 9:40 am
what is more secure: root owner or www owner?
Can hacker change files or run script if all files + folders are www owner?
That depends on what permissions they have on your system.
As you know all folders + files have permissions for 3 kinds of groups: owner, group, public.
Why i need chown all folders to www, when i can chown only some folders?
If you want to be able to keep Joomla + non core extensions up-to-date (which is recommended from security point of view) then the webserver should be able to overwrite the files with the files it gets from the updates.

For example after unpack joomla by su root (by ssh) i have owner name = root, group name = wheel,
folders = 40755, files = 100644. And so only root user can change any file, and it seems to be safe.
When i need update i can change owner name to www (apache user) to all folders+files. After update i can change back to root owner. And for cache purposes set some folders+files to www owner.

The Joomla! Forum™

Can i make the root user owner of Joomla files?

Can i make the root user owner of Joomla files?

Re: Can i make the root user owner of Joomla files?

Re: Can i make the root user owner of Joomla files?

Re: Can i make the root user owner of Joomla files?

Re: Can i make the root user owner of Joomla files?