Joomla setting cache sub-folders to 777 permissions Topic is solved

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Thu Sep 13, 2018 8:31 pm

Joomla version: 3.8.12
Web server: Apache
PHP version: 7.0.30

My webhost has alerted me to the fact that my cache folders in Joomla are being set with 777 permissions. I’ve not done this deliberately and can’t work out how to stop it happening.

The top-level cache folder (/cache) has 755 permissions. This is fine. But all the subfolders within it are set with 777 permissions. If I clear Joomla’s cache via the Joomla admin interface all the subfolders are deleted, but when the site is accessed again, the folders are created again with 777 permissions. If I manually chmod the subfolders to 755 whenever the cache files are updated the permissions revert back to 777.

Can anyone help? At the moment I don’t have access to a desktop/laptop computer so am somewhat limited with what I can do (hence not using the forum post assistant). Thank you in advance.

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5502
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Joomla setting cache sub-folders to 777 permissions

Post by sozzled » Thu Sep 13, 2018 9:15 pm

A couple of suggestions:

a) if you don't have a "real" computer—destop, laptop or tablet—with the means to use a permission-setting application (e.g. FileZilla) then install Akeeba Admin Tools and use the "Fix Permissions" feature of that extension. This should take you less than 10 minutes.

b) borrow a friend's computer

c) discuss the issue with your webhost

d) engage a professional website designer/developer to do the work for you.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Thu Sep 13, 2018 9:25 pm

Thank you for taking the time to respond.

a) I do have the ability to change folder permissions. I’ve changed the affected folders to 755. The issue is that Joomla changes them from 777 to 755 as soon as the caches change. And it changes _all_ of them, it’s not just one or two, which could indicate a problem with a specific extension.

b) Sadly not an option.

c) I’m in the process of doing this, but I don’t expect them to know all the intricacies of Joomla.

d) Also not an option.

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5502
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Joomla setting cache sub-folders to 777 permissions

Post by sozzled » Thu Sep 13, 2018 9:36 pm

Off the top of my head, without knowing anything about the website or who is the webhost (I don't really want to know who is hosting your website), there may be an issue with file ownership. If the folder(s) and file(s) are not owned by you (or by apache:apache) then file permissions may be set in some other way. I can't speak from experience (and I may be off the track) but you may want to discuss with your webhost this factor (or delve into CHOWN).

Not something I would do, myself. I don't have the problem because I have confidence in my webhosting provider to take care of these things.

I don't know why you would say that it's not an option to engage a professional. It's always an option but it may not, necessarily, be economically viable at this time.

We don't know what extensions you're using—the FPA report would possibly help—and I can't comment on whether something you've installed would contribute to the permissions issue or not.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35190
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla setting cache sub-folders to 777 permissions

Post by Webdongle » Thu Sep 13, 2018 10:21 pm

afaik Joomla does not do that. It is most likely an extension. viewtopic.php?f=714&t=793531 please
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5502
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Joomla setting cache sub-folders to 777 permissions

Post by sozzled » Thu Sep 13, 2018 10:23 pm

@Webdongle:
glitterchickUK wrote:
Thu Sep 13, 2018 8:31 pm
... I don’t have access to a desktop/laptop computer so am somewhat limited with what I can do (hence not using the forum post assistant).
(Just to clarify this: the first step in running the FPA is to download the ZIP package to a local storage device—a PC, for example—in order to extract the fpa-en.php file. If the user doesn't have the ability to download the file then they don't have the means to upload it to their website, right?)
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35190
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla setting cache sub-folders to 777 permissions

Post by Webdongle » Thu Sep 13, 2018 11:06 pm

It can be done with android but is awkward. But without access to a PC or laptop then a lot of site/server maintenance is difficult as well.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 8:58 am

glitterchickUK wrote:
Thu Sep 13, 2018 9:25 pm
The issue is that Joomla changes them from 777 to 755 as soon as the caches change.
Of course, I mean from 755 _to_ 777. I’ve been trying to figure this out for too long.

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 9:22 am

Forum Post Assistant (v1.4.3 (Frosty)) : 14th September 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.12-Stable (Amani) 28-August-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (644) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: No (ReWrite Enabled but no .htaccess?) | GZip: 1 | Cache: 0 | CacheTime: 120 | CacheHandler: file | CachePlatformPrefix: 1 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | PHP Supports J! 3.8.12: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 4.4.52-20.7.el6.xen.art.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 183.69 GiB |

PHP Configuration :: Version: 7.0.30 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: | Error Reporting: 24575 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/vhosts/glitterchickUK.com/httpdocs:/usr/share/pear:/tmp | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 16M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

Database Configuration :: Version: 5.6.39-log (Client:5.6.39) | Host: --protected-- (--protected--) | Localhost: Yes | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 8.92 MiB | #of Tables:  95
Detailed Environment :: wrote:PHP Extensions :: Core (7.0.30) | date (7.0.30) | libxml (7.0.30) | openssl (7.0.30) | pcre (7.0.30) | sqlite3 (7.0.30) | zlib (7.0.30) | calendar (7.0.30) | ctype (7.0.30) | curl (7.0.30) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.0.30) | ftp (7.0.30) | gd (7.0.30) | gettext (7.0.30) | SPL (7.0.30) | iconv (7.0.30) | session (7.0.30) | intl (1.1.0) | json (1.4.0) | mbstring (7.0.30) | mcrypt (7.0.30) | standard (7.0.30) | mysqli (7.0.30) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | PDO (7.0.30) | pdo_mysql (7.0.30) | pdo_sqlite (7.0.30) | Phar (2.0.2) | posix (7.0.30) | Reflection (7.0.30) | imap (7.0.30) | SimpleXML (7.0.30) | soap (7.0.30) | sockets (7.0.30) | exif (7.0.30) | tokenizer (7.0.30) | xml (7.0.30) | xmlreader (7.0.30) | xmlwriter (7.0.30) | zip (1.13.5) | cgi-fcgi () | Zend Engine (3.0.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: cache/gantry5/g5_hydrogen/ (777) | cache/gantry5/g5_hydrogen/compiled/ (777) | cache/gantry5/g5_hydrogen/compiled/blueprints/ (777) | cache/gantry5/g5_hydrogen/compiled/config/ (777) | cache/gantry5/g5_hydrogen/compiled/yaml/ (777) | cache/gantry5/g5_hydrogen/html/ (777) | cache/gantry5/g5_hydrogen/twig/ (777) | cache/gantry5/g5_hydrogen/twig/30/ (777) | cache/gantry5/g5_hydrogen/twig/b7/ (777) | cache/gantry5/g5_hydrogen/twig/d2/ (777) |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_search (3.0.0) 1 | com_login (3.0.0) 1 | com_categories (3.0.0) 1 | com_templates (3.0.0) 1 | com_plugins (3.0.0) 1 | com_redirect (3.0.0) 1 | com_fields (3.7.0) 1 | com_contenthistory (3.2.0) 1 | com_associations (3.7.0) 1 | com_users (3.0.0) 1 | com_ajax (3.2.0) 1 | com_checkin (3.0.0) 1 | com_banners (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_modules (3.0.0) 1 | com_finder (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_messages (3.0.0) 1 | com_config (3.0.0) 1 | com_media (3.0.0) 1 | com_cache (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_languages (3.0.0) 1 | com_tags (3.1.0) 1 | com_admin (3.0.0) 1 | com_weblinks (3.6.0) 1 | com_menus (3.0.0) 1 | com_content (3.0.0) 1 | com_installer (3.0.0) 1 | com_newsfeeds (3.0.0) 1 |
3rd Party:: Admintools (5.1.4) 1 | com_gantry5 (5.4.26) 1 | Akeeba (6.2.1) 1 |

Modules :: SITE ::
Core :: mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_search (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_weblinks (3.6.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_category (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_tags_similar (3.1.0) 1 | mod_banners (3.0.0) 1 | mod_login (3.0.0) 1 |
3rd Party:: mod_gantry5_particle (5.4.26) 1 |

Modules :: ADMIN ::
Core :: mod_multilangstatus (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_version (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_status (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_title (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_login (3.0.0) 1 |
3rd Party::

Plugins :: SITE ::
Core :: plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_weblinks (3.6.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.1) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_vote (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_weblinks (3.6.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_sef (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_p3p (3.0.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_stats (3.5.0) 1 |
3rd Party:: plg_quickicon_akeebabackup (1.0) 1 | plg_quickicon_gantry5 (5.4.26) 1 | plg_gantry5_preset (5.4.26) 1 | plg_editors_tinymce (4.5.8) 0 | plg_editors_codemirror (5.38.0) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | plg_system_gantry5 (5.4.26) 1 | System - Admin Tools (5.1.4) 1 | System - RokBooster (1.1.17) 0 | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) 1 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | g5_hydrogen (5.4.26) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 9:35 am

Webdongle wrote:
Thu Sep 13, 2018 11:06 pm
It can be done with android but is awkward. But without access to a PC or laptop then a lot of site/server maintenance is difficult as well.
I’ve finally managed to find a way to upload the FPA to my site on iOS (using Readdle’s Documents app to handle extracting the file). Just waiting for someone to approve the post with the info.

I can’t afford to hire anyone to investigate this issue for me. It’s a hobby website which hasn’t been updated content-wise in some time. (I check for Joomla updates on a regular basis though.) If I can’t figure it out myself, or with help from here/my hosting company then I’ll just delete the website and be done with it. I would quite like to actually work it out though, for the challenge of it if nothing else.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14685
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla setting cache sub-folders to 777 permissions

Post by mandville » Fri Sep 14, 2018 10:15 am

ok. this statement will get me shot.
it is NOT joomla, it is NOT (at this time your host)
i HATE irresponsible, lack lustre developers
if (!is_dir($dst)) {
$success &= @mkdir($dst, 0777, true);
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14685
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla setting cache sub-folders to 777 permissions

Post by mandville » Fri Sep 14, 2018 10:40 am

https://github.com/gantry/gantry5/issues/2363
its in the folder.php file , that was the first i found there are many more.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 10:54 am

mandville wrote:
Fri Sep 14, 2018 10:15 am
ok. this statement will get me shot.
it is NOT joomla, it is NOT (at this time your host)
i HATE irresponsible, lack lustre developers
if (!is_dir($dst)) {
$success &= @mkdir($dst, 0777, true);
I finally worked out the affected files, or at least one of them thanks to that snippet, and I’ll try and manually change them all... was going to see if I could contact the developer in question to get them to fix it in their releases, but see you are way ahead of me there. Thank you.

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 10:59 am

mandville wrote:
Fri Sep 14, 2018 10:40 am
https://github.com/gantry/gantry5/issues/2363
its in the folder.php file , that was the first i found there are many more.
My searches have found four files, all Gantry5 ones. (Grrr.) I can’t post on the RocketTheme message boards without being a paid member, which I no longer am, so thank you for the issue on GitHub. I’ll try editing the five files to see if that fixes the problem.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14685
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla setting cache sub-folders to 777 permissions

Post by mandville » Fri Sep 14, 2018 11:12 am

it seems an interesting debate is just about to start as the developer has made a classic statement
"they expect your server to be secure and properly configured"
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 11:22 am

I’ve edited the four Gantry5 files to use 755 and nothing seems to have broken, and the Gantry5 cache folder is now being generated with 755 permissions. Woohoo!

So I’ve enabled Joomla’s caching again (Global configuration — system settings — platform-specific & conservative caching on, and also Extensions — Plug-ins — “System — Page cache” on), and all the other cache folders are being created with 777. I’ll keep hunting.

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 11:32 am

mandville wrote:
Fri Sep 14, 2018 11:12 am
it seems an interesting debate is just about to start as the developer has made a classic statement
"they expect your server to be secure and properly configured"
Am I understanding correctly that they’re saying it’s OK for their code to specify 777 because PHP on the server should be set up to automatically change it to 755 instead...?

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1665
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Joomla setting cache sub-folders to 777 permissions

Post by fcoulter » Fri Sep 14, 2018 1:42 pm

Am I understanding correctly that they’re saying it’s OK for their code to specify 777 because PHP on the server should be set up to automatically change it to 755 instead...?
Yes, conveniently ignoring the fact that most users are on a shared server and have no control over the server, and do not have the knowledge to tell whether it is correctly configured or not.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Fri Sep 14, 2018 2:54 pm

Yes, I’m on a shared server and until today had never heard of “umask”. I’ve contacted my host and explained the Gantry developer’s reaction, so will see what my host come back with.

For something as critical as permissions though isn’t it possible for the PHP code to check what the server configuration (umask) is and then adjust the permissions in the code accordingly?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14685
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla setting cache sub-folders to 777 permissions

Post by mandville » Fri Sep 14, 2018 3:54 pm

There's none so deaf as will not hear
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35190
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla setting cache sub-folders to 777 permissions

Post by Webdongle » Fri Sep 14, 2018 5:13 pm

Why the need to set it 777 in the first place ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1750
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Joomla setting cache sub-folders to 777 permissions

Post by JAVesey » Fri Sep 14, 2018 5:27 pm

Assuming that this is a security risk, should this extension be listed on VEL?
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.12)

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14685
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla setting cache sub-folders to 777 permissions

Post by mandville » Fri Sep 14, 2018 5:37 pm

JAVesey wrote:
Fri Sep 14, 2018 5:27 pm
Assuming that this is a security risk, should this extension be listed on VEL?
we were waiting a dev statement before making the listing public
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Sat Sep 15, 2018 10:15 am

I’ve just discovered what the VEL is, and whilst I think it’s a brilliant idea it’s a bit hidden... would it make sense to get an obvious link on https://extensions.joomla.org or are there just so few issues with extensions that it’s not considered worthwhile? Now I know the list exists I know to look for it, but I’m very sure that in a week’s time I won’t be able to remember where it is, other than I came across it from somewhere in the forum. (I know I could bookmark it, but just trying to explain how difficult it is to find for a non-regular.)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35190
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla setting cache sub-folders to 777 permissions

Post by Webdongle » Sat Sep 15, 2018 4:03 pm

vel 01.JPG
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Mon Sep 17, 2018 9:11 am

Webdongle wrote:
Sat Sep 15, 2018 4:03 pm
vel 01.JPG
Oops. I missed that one.

Back on topic though, and my hosting company don’t seem to be willing to change their server configuration. They’re not going in to detail as to why. (They are trying to get people to stop using 777 permissions, that’s how I found out about the issue to start with.)

I’ve still not worked out why the other cache subfolders are being created as 777. They _seem_ to me to be Joomla-generated, as they only appear when I’ve enabled Joomla’s cache in global configuration, but please remember I’m not a php developer and am not familiar with Joomla’s code.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35190
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla setting cache sub-folders to 777 permissions

Post by Webdongle » Mon Sep 17, 2018 9:15 am

Another thing wrong with your Host's server (although unrelated to the main problem)
Session Path Writable: No ... should be Yes.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

mahagr
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri Sep 26, 2008 4:55 pm

Re: Joomla setting cache sub-folders to 777 permissions

Post by mahagr » Mon Sep 17, 2018 11:50 am

This issue can be reproduced with a clean installation without any extensions installed. Please do not blame extensions without reason -- it took me 5 minutes to recreate the issue.

Just edit index.php and add umask(0); to the code to simulate the issue.

This issue is likely caused by either server mis-configuration or a hacked site.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35190
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla setting cache sub-folders to 777 permissions

Post by Webdongle » Mon Sep 17, 2018 3:07 pm

It can be done that way but in this case it is (almost certainly) not. The OP does not have the wherewithal to have done that and it is extremely unlikely that a Host would do that to the Joomla index.php file. Besides which it has been proven a Template has code setting the folder 777.

If it was because of a hack then it is also doubtful a hacker would do that because they would need access to do it and once they had access they would not need to do that.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

glitterchickUK
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sun Aug 09, 2015 9:54 am

Re: Joomla setting cache sub-folders to 777 permissions

Post by glitterchickUK » Mon Sep 17, 2018 3:19 pm

Webdongle wrote:
Mon Sep 17, 2018 9:15 am
Another thing wrong with your Host's server (although unrelated to the main problem)
Session Path Writable: No ... should be Yes.
Thank you, I’ll see if I can get that fixed.


Post Reply

Return to “Security in Joomla! 3.x”