How to configure PHP/Apache to make files writeable?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
tmorton
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Jan 18, 2016 5:41 am

How to configure PHP/Apache to make files writeable?

Post by tmorton » Sat Feb 06, 2016 3:57 am

One thing that has bothered me about Joomla is how it demands that files be writeable in order to work. I've seen discourses about file permissions, but that seems to miss the point for me. The real question is what user is PHP running as? Is it running as the owner? Or is it in the group? Or, heaven forbid, requires 777?

What makes me paranoid is that if PHP has sufficient permissions to write in logs/ or tmp/ etc, then it has enough permissions to write -anywhere- in the web site hierarchy. Or, worse yet, the ability to write in some other web site.

I thought standard practice was to have all writeable files outside the document root, so that a hacker could only muck up the writeable area, but not the web site itself (well, not as easily).

I'm not a security guru by any means, but I'd like to see some discussion on this. What brings this up is that in order to have PHP write to the files, I had to either change ownership or elevate the permissions, and I didn't see discussion on how to be sure that php/apache is set up correctly.

[I'm currently testing Apache 2 ITK MPM. It looks wonderful, but I still don't like the idea of php being able to write to the entire website]

User avatar
sudo-web
Joomla! Ace
Joomla! Ace
Posts: 1325
Joined: Fri Jan 22, 2016 7:10 pm
Location: Vienna - Austria
Contact:

Re: How to configure PHP/Apache to make files writeable?

Post by sudo-web » Sat Feb 06, 2016 12:00 pm

I try to explain way some things are as they are, although I'm aware of that not everything is ideal from a security perspective.

Joomla is meant to be a CMS that is also easy to use for people how have absolute no experience or knowable about how a web server works internally. On the other hand Provider try to do the same, make things easy as possible, special in shard server environments.

A lot of Shared Server do not provide access to the folders outside the document root, you only have the document root. If you came from a more developer perspective and have experience with PHP Frameworks this sounds very odd but this is real life.

On the other hand Joomla is extensible by plugins / components / modules / templates and so on. All those extensions are located in different locations dependent on what kind of extensions they are.

With shared server I have never seen the possibility to use things like composer, and this would overburden a lot of people. Therefore most of the folders have to be writable otherwise no one could install an extension from within Joomla, what means with PHP.

If you had a look to this forum you will see the advice to have the permissions for folders set to 755 and for files to 644 (one exception: the configuration.php file can have 444). As you know that means PHP should run as owner, otherwise PHP could not write new files to folders. And to my experience this is the default configuration of most of the shard servers.

Of course you have to configure your apache server in such a way, that he has no access to other folders than the once you are want, but this is possible.

I hope that helps somehow, and answer your question. If not, feel free to ask.
Visit me on my Webdesign Webpage: https://www.posit.at

tmorton
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Jan 18, 2016 5:41 am

Re: How to configure PHP/Apache to make files writeable?

Post by tmorton » Sat Feb 06, 2016 6:28 pm

Thank you, that helps put things in perspective. That explains why there is so much talk about permissions and so little about *who* has those permissions.

I found an old article (https://docs.joomla.org/Security_and_Performance_FAQs) that covers some of the concerns I have.

If anybody else wants to jump in, though, I'd love to see what you have to say.

...next project, making it work with git.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37777
Joined: Sat Apr 05, 2008 9:58 pm

Re: How to configure PHP/Apache to make files writeable?

Post by Webdongle » Sat Feb 06, 2016 6:50 pm

Three groups
User ... Group ... Other
Each bit(digit) refers to the permissions for a group

Permission values are
Read ...... 4
Write ...... 2
Execute ... 1

Therefore 644 is
User ..... Read and Write ... 4 + 2
Group ... Read Only .... 4
Other ... Read Only .... 4

755 is
User ..... Read and Write and Execute ... 4 + 2 + 1
Group ... Read and Execute .... 4 + 1
Other ... Read and Execute .... 4 + 1

Joomla sets the configuration file 444 so if you edit that file on the server you will need to set it 644 to save your changes.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

tmorton
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Jan 18, 2016 5:41 am

Re: How to configure PHP/Apache to make files writeable?

Post by tmorton » Mon Feb 08, 2016 5:43 am

Yep, like I said; information about permissions abounds. But if you don't know what user PHP is running as, the only value that has is to teach people to start putting in sevens until it works. (and hopefully back it down at the end of installation.)

But my question is what user *should* PHP be running as? Is it necessary for PHP to *always* have write permission to all of the website?

I am still very new to Joomla, and trying to figure out how it ticks as far as usage goes. My first exposure to Joomla was a hacked website. And then I saw that it requires writeable areas alongside the code.

I now understand *why* it is set up that way: in the compromise between ease of use and security, Joomla is aimed at the non-programmer which means ease-of-use is its primary focus. Making it secure takes a lot more effort. Nothing wrong with that, as long as you understand the compromise.

What I'm really looking for is a discussion of what user PHP should be running as, and why. Does PHP need write access to the whole application. What is your preferred way to lock it down.

There are many ways to lock it down, but some methods are more cumbersome than others. The most obvious is to back all the permissions down to read only, with write access only on the dozen or so directories that require it (that is, if that's all of them that require write access).

Or, you could change the owner of the writeable directories to nobody or www-data, leaving the files at 744 and directories at 755.

Or, you could use suPHP (unmaintained)...

Or, you could use apache's mpm-itk and choose the user you want PHP to run as.

That's the discussion I'm hoping to see. :)

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3416
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: How to configure PHP/Apache to make files writeable?

Post by ribo » Mon Feb 08, 2016 8:30 am

chat room spontes : http://www.spontes.com

tmorton
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Jan 18, 2016 5:41 am

Re: How to configure PHP/Apache to make files writeable?

Post by tmorton » Mon Feb 08, 2016 2:04 pm

"You have to change the Apche handler from Apache2 to cgi and your problems will be solved. You should compile your box with Suexec + Suphp amongst others than you won't have these permission issues. The SuPHP/fcgi solution is not only faster but also way more secure"

So to sum up, you're saying to run PHP as the web user, and let it have write permissions to the entire site? This is certainly a good neighbor approach, as it only gives access to that particular user's files.

This still leaves me with the question about does the whole site need to be writeable by PHP?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37777
Joined: Sat Apr 05, 2008 9:58 pm

Re: How to configure PHP/Apache to make files writeable?

Post by Webdongle » Mon Feb 08, 2016 2:47 pm

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3416
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: How to configure PHP/Apache to make files writeable?

Post by ribo » Mon Feb 08, 2016 5:43 pm

tmorton wrote:"You have to change the Apche handler from Apache2 to cgi and your problems will be solved. You should compile your box with Suexec + Suphp amongst others than you won't have these permission issues. The SuPHP/fcgi solution is not only faster but also way more secure"

So to sum up, you're saying to run PHP as the web user, and let it have write permissions to the entire site? This is certainly a good neighbor approach, as it only gives access to that particular user's files.

This still leaves me with the question about does the whole site need to be writeable by PHP?
Suexec + Suphp with fcgi solution is very good to not have permission issues. You must recompile to do that. Then every one when he will have 644 in files 755 in folders they will be writable and everything in permissions will work fine. For joomla for me you must have 644 for files, 755 for folders(must be writable) and 444 for configuration.php (not writable)
chat room spontes : http://www.spontes.com

tmorton
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Jan 18, 2016 5:41 am

Re: How to configure PHP/Apache to make files writeable?

Post by tmorton » Mon Feb 08, 2016 6:49 pm

suPHP allows all the PHP scripts to run under the identity of the user who owns them - rather than having all PHP scripts upon the system run as the same user (ie, nobody or www-data).

This limits the damage to just the one website, which is a good thing. But once again, my concern is if we allow the PHP user to have write access to the whole website (except for configuration.php), then hackers are free to do things like insert code into various index.php files. (My first experience with Joomla was finding that all the index.php files in the templates directory were hacked.)

Obviously, the situation I walked in to was a failure on several levels; but on starting over, I'm just having a hard time accepting that letting PHP have free reign to write anywhere on the site is anything but a bad idea. But I'm having an even harder time figuring out the best strategy for denying write access where it isn't needed nor desired, but at the same time granting write access where it is truly needed (because I don't know if the dozen places on the FPA are the only ones.)

644/755 mantra does not address this issue. Quite frankly, I think 444 except on files that need to be written to makes a whole lot more sense, but that leaves me with the dilemma of which files/directories need to be writeable. Plus the irritation of having to redo the permissions if the owner wants to make changes...

OTOH, if I make the PHP user a group member, then 644/755 is read only throughout, and I will need to 664 files in directories that need write access, whichever they are. But then I've just destroyed what suPHP et al have bought me, haven't I?

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: How to configure PHP/Apache to make files writeable?

Post by Bernard T » Mon Feb 08, 2016 7:12 pm

Hi Tmorton,

"security concerns" vs. "ease of use" are in a neverending battle. The later one wins most of the times.
Let me address some of your concerns and give you a wider perspective.

First of all, PHP has much more versatile ways to be implemented than any other web-enabled interpreter langs (Perl, Python, Ruby ...). But they all share exactly the same "a secure vs. an easy way of managing files" problems, so the general issue here is not a PHP specific one.
tmorton wrote:The real question is what user is PHP running as? Is it running as the owner? Or is it in the group? Or, heaven forbid, requires 777?
tmorton wrote:I'm currently testing Apache 2 ITK MPM. It looks wonderful, but I still don't like the idea of php being able to write to the entire website]
It depends on the method the PHP interpreter is implemented.

Some years ago it was very common for hosting providers to have PHP implemented as Apache module called "mod_php".Since the module is loaded into an Apache process itself, it is an integral part of it, and therefore, any files create by PHP are actually owned by system user that Apache runs under. Most often the vanilla Apache package installation runs child processes as user "nobody", or "www-data" user on Debian based systems, "apache" or "www" user on RH based systems. It really depends on the OS and control panel used. You can search this forum or the web about "apache user nobody" problem.
The "nobody" user is the worst situation and shouldn't be used at all since "nobody", although being the "least rights" system user, that user is historically linked to "root" (hint: NFS).

All the recommendations for setting folders to "777" stem exactly from this setup. Since FTP process uses (just like it should) a different system user for each client/domain, the folders and files uploaded via FTP are owned by a separate system user. But, if you want to upload, update, change or delete files using PHP script (remember, PHP/Apache runs as "nobody") - you can't do it unless the proper folder has "777" or "666" for a file...

This setup also opens a security problem - since the Apache child processes run all the websites on the server, all files are owned by the same system user assigned to Apache. Therefore, any PHP code on any website can read/write into any other domain's folders. In other words - one website hacked, all other websites can get infected instantly.

You can recognize the "mod_php" setup in phpinfo() output as "Server API" with value "Apache" or "Apache2Handler"

The alternative way to run PHP is as a spawned standalone CGI processes. This also enables setting the correct system user/group for each PHP process separately and avoids the above-mentioned problem. Check SuExec, PHPSuExec and SuPhp for more details. All of them are essentially a "setuid" implementations. Some details here: https://docs.joomla.org/Using_phpSuExec

You can recognize the CGI variants setup in phpinfo() output as "Server API" with value "cgi","fastcgi","fcgid" and similar.

"mpm-itk" is another try to fix the "mod_php" ownership issue, as is the "mod_ruid2" or "mod_suid2"

The newer and my favorite way to run PHP is under FastCGI Process Manager (aka FPM or PHP-FPM). It's as fast as mod_php, but secure, stable and high-traffic resilient, with many fine-tunning options ...
http://php.net/manual/en/install.fpm.php

tmorton wrote:What makes me paranoid is that if PHP has sufficient permissions to write in logs/ or tmp/ etc, then it has enough permissions to write -anywhere- in the website hierarchy. Or, worse yet, the ability to write in some other website.
tmorton wrote:I thought standard practice was to have all writeable files outside the document root, so that a hacker could only muck up the writeable area, but not the website itself (well, not as easily).
If you only change the file permissions to 644/755, 444/555, or even 600/700 (if possible), you just prevent the directory traversal attacks. But if the ownership of the files/folders is still by "PHP user", any (malicious) process can change those permissions back anytime it pleases, etc etc ...

If you can live without the file uploads via Joomla core or extensions and move tmp/ and logs/ folders outside the webroot folder, you can change the permissions and ownership of the Joomla files so that PHP cannot change the files or folders in the webroot at all. That would prevent files injection into the webroot, but still, the injection is possible in the tmp/ and logs/ folders, even when they're outside of the webroot. Now the attacker needs another vulnerability type to misuse those files too, but it's still possible. So, by those changes you gained a better level of security, but still, as long as PHP can write anywhere, there can be a file injection.

If you would turn off any writing of temporary files and logs you could have a Joomla installation without any rights to write a file - your installation would be safe of any file injections. But there are other attack types which can do damage ...
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

tmorton
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Jan 18, 2016 5:41 am

Re: How to configure PHP/Apache to make files writeable?

Post by tmorton » Mon Feb 08, 2016 7:30 pm

Bingo, that's the discussion I was looking for :) Thanks for the good information, I'll digest this for a while.

User avatar
rishard
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Thu Apr 07, 2011 11:42 pm
Location: St.Petersburg, Russia
Contact:

Re: How to configure PHP/Apache to make files writeable?

Post by rishard » Wed Feb 10, 2016 10:33 am

Try it (Centos, RHEL):

Code: Select all

$ sudo chown -R apache:apache /public_html  //Giving apache files
$ sudo chcon -R -t httpd_sys_rw_content_t /public_html   //Selinux context
$ sudo find /public_html -type d -exec chmod 0755 {} \;   //Security permissions for directories
$ sudo find /public_html -type f -exec chmod 0644 {} \;   //Security permissions for files


Locked

Return to “Security in Joomla! 3.x”