Recommended file/directory permissions

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
ggossamer
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Wed Sep 29, 2010 4:50 pm

Recommended file/directory permissions

Postby ggossamer » Tue Sep 06, 2016 8:28 pm

Hi,
Does there exist a document that specifies the recommended file/directory permissions for a joomla-3.5 install on fedora23 with apache?

I've done quite a bit by trial and error (make minimal change, see if it works, etc), but someone must have gone through this before. I'm surprised there isn't something included with the installation process for this.

The problem I'm having is that we have the joomla user which is different than the user apache is running as, and occasionally they both need to write to the same file (uploading modules, etc).

Do you have any sgid directories to enable both users to write to the same directories?

I'm very familiar with how chmod/chgrp/chown and suid/sgid; what I don't know is which specific directories are recommended to be set with permissions more relaxed than just read ability.

User avatar
mjparadac
Joomla! Ace
Joomla! Ace
Posts: 1373
Joined: Mon Oct 29, 2012 3:58 pm

Re: Recommended file/directory permissions

Postby mjparadac » Tue Sep 06, 2016 8:37 pm

Joomla Community Ambassador for A2 Hosting | A2 Hosting - Our speed, your success | https://www.a2hosting.com/joomla-hosting?utm_campaign=grassroots&utm_medium=forum&utm_source=joomla.org

ggossamer
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Wed Sep 29, 2010 4:50 pm

Re: Recommended file/directory permissions

Postby ggossamer » Tue Sep 06, 2016 8:46 pm



Unfortunately these are very basic explanations and don't really explore what's needed for an active website. There's no way just changing everything to 755 or 644 is sufficient for any real website, let alone one under current development.

Actually, one way this would work (to set everything to 755 or 644) is if you changed the ownership of all files to that of the web server, and also only access it for file uploads as the web server user. That is not a secure way to do it.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18179
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Recommended file/directory permissions

Postby leolam » Wed Sep 07, 2016 8:22 am

ggossamer wrote:Unfortunately these are very basic explanations and don't really explore what's needed for an active website. There's no way just changing everything to 755 or 644 is sufficient for any real website, let alone one under current development.

Actually, one way this would work (to set everything to 755 or 644) is if you changed the ownership of all files to that of the web server, and also only access it for file uploads as the web server user. That is not a secure way to do it.
You are wrong here. The Files and folders on a cgi (suExec/SuPHP) driven server are 755 for folders and 644 for files with an extra security on the configuration.php = 640

This is how all Joomla site must operate to be secure. Any other settings are incorrect and dangerous or make Joomla not work. If your server is properly setup (in a cgi-environment) files that get permissions with '777' for instance will throw an internal (500) error

So yes the advised permissions in the links shown are correct and all Joomla sites throughout the world on all major hosting platforms run with these permissions. Simply stated...You cannot have other permissions

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

ggossamer
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Wed Sep 29, 2010 4:50 pm

Re: Recommended file/directory permissions

Postby ggossamer » Thu Sep 08, 2016 3:52 pm

leolam wrote:
ggossamer wrote:Unfortunately these are very basic explanations and don't really explore what's needed for an active website. There's no way just changing everything to 755 or 644 is sufficient for any real website, let alone one under current development.

Actually, one way this would work (to set everything to 755 or 644) is if you changed the ownership of all files to that of the web server, and also only access it for file uploads as the web server user. That is not a secure way to do it.
You are wrong here. The Files and folders on a cgi (suExec/SuPHP) driven server are 755 for folders and 644 for files with an extra security on the configuration.php = 640

This is how all Joomla site must operate to be secure. Any other settings are incorrect and dangerous or make Joomla not work. If your server is properly setup (in a cgi-environment) files that get permissions with '777' for instance will throw an internal (500) error

So yes the advised permissions in the links shown are correct and all Joomla sites throughout the world on all major hosting platforms run with these permissions. Simply stated...You cannot have other permissions

Leo 8)


Leo, it appears my comments weren't clear. What I meant was not a secure way was regarding ownership, not permissions. As I wrote, permissions should indeed be 755 or 640, depending on the file.

My situation is that the apache user is 'apache' while the developers are using the 'joomadmin' account to upload/manage files in the joomla document root. The files were all changed to be owned by 'joomadmin' when the installation was set up, with the 'apache' users in the same group as 'joomadmin'.

This creates a problem when the joomla administrator uses in the front-end to install modules or otherwise make modifications. Files then become owned by the 'apache' user, making it not possible for the 'joomadmin' to then edit or change the same file.

The part that I said was insecure was having files writable by the 'apache' user in case the system was ever compromised.

I've decided to use sgid permissions on the entire joomla directory tree to set files readable and writable by both the apache user and the joomadmin user as a short-term solution, and still look forward to other people's comments on a more succinct and secure way to do it.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18179
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Recommended file/directory permissions

Postby leolam » Thu Sep 08, 2016 3:58 pm

ggossamer wrote:My situation is that the apache user is 'apache' while the developers are using the 'joomadmin' account to upload/manage files in the joomla document root. The files were all changed to be owned by 'joomadmin' when the installation was set up, with the 'apache' users in the same group as 'joomadmin'.

This creates a problem when the joomla administrator uses in the front-end to install modules or otherwise make modifications. Files then become owned by the 'apache' user, making it not possible for the 'joomadmin' to then edit or change the same file.
Yep and that is caused because the server is setup with (inferior and outdated) Apache2 as handler and not with cgi/fcgi or SuPHP which are superior in speed and security and you do not have these permission issues since owners are all "user" per definition and not "nobody (apache) as in the case you describe. It is advised to recompile that box if possible as mentioned. Takes away all these headaches.

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

ggossamer
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Wed Sep 29, 2010 4:50 pm

Re: Recommended file/directory permissions

Postby ggossamer » Thu Sep 08, 2016 4:03 pm

leolam wrote:
ggossamer wrote:My situation is that the apache user is 'apache' while the developers are using the 'joomadmin' account to upload/manage files in the joomla document root. The files were all changed to be owned by 'joomadmin' when the installation was set up, with the 'apache' users in the same group as 'joomadmin'.

This creates a problem when the joomla administrator uses in the front-end to install modules or otherwise make modifications. Files then become owned by the 'apache' user, making it not possible for the 'joomadmin' to then edit or change the same file.
Yep and that is caused because the server is setup with (inferior and outdated) Apache2 as handler and not with cgi/fcgi or SuPHP which are superior in speed and security and you do not have these permission issues since owners are all "user" per definition and not "nobody (apache) as in the case you describe. It is advised to recompile that box if possible as mentioned. Takes away all these headaches.

Leo 8)


Recompile? It looks to be just the use of mod_suphp. Do you have any experience using it? What's involved in configuring the system to use it?

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18179
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Recommended file/directory permissions

Postby leolam » Thu Sep 08, 2016 5:04 pm

Just set the Apache Handler to be "fcgi" (as secure as suPHP but 2 x faster) and make sure 'Apache suEXEC" is set "on"

All our servers in our hosting operations run as such (@mods: in answer to your question about my experience) see: https://gws-host.com/systems-technology

Can you please post the output of viewtopic.php?f=621&t=582860 so I can advise you properly whether you need to recompile or not and if so imho why?

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

ggossamer
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Wed Sep 29, 2010 4:50 pm

Re: Recommended file/directory permissions

Postby ggossamer » Thu Sep 08, 2016 5:27 pm

Thanks very much for your offer to assist. Ideas for setting up mod_fcgid would also be appreciated.

Forum Post Assistant (v1.2.7) : 8th September 2016 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.5.1-Stable (Unicorn) 05-April-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (660) | Owner: apache (uid: 1/gid: 1) | Group: apache (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: maximum | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 4.5.7-200.fc23.x86_64 | Technology: x86_64 | Web Server: Apache/2.4.18 (Fedora) OpenSSL/1.0.2h-fips mod_fcgid/2.3.9 PHP/5.6.22 mod_perl/2.0.9 Perl/v5.22.2 | Encoding: gzip, deflate, br | Doc Root: /var/www/linstage.guardiandigital.com-443/html-joomla-3.5.1 | System TMP Writable: Yes

PHP Configuration :: Version: 5.6.22 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 22519 | Log Errors To: /var/log/php-scripts.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.5-10.0.23-MariaDB (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 401.01 MiB | #of Tables: 158
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.22) | date (5.6.22) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | filter (0.11.0) | hash (1.0) | Reflection ($Id: fbcf7a77ca8e3d4cd7501de8025235b947b8240f $) | SPL (0.2) | session () | standard (5.6.22) | apache2handler () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | exif (1.4 $Id: db007ca2e6d0b4513ae77990972997fad8bfe9c9 $) | fileinfo (1.0.5) | ftp () | gettext () | iconv () | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | PDO (1.0.4dev) | Phar (2.0.2) | posix () | shmop () | SimpleXML (0.1) | sockets () | sqlite3 (0.7-dev) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | xml () | xmlwriter (0.1) | xsl (0.1) | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | wddx () | xmlreader (0.1) | json (1.3.10) | zip (1.13.2) | mhash () | Zend Engine (2.6.0) |
Potential Missing Extensions :: mbstring | mcrypt | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_so | http_core | mod_access_compat | mod_actions | mod_alias | mod_allowmethods | mod_auth_basic | mod_auth_digest | mod_authn_anon | mod_authn_core | mod_authn_dbd | mod_authn_dbm | mod_authn_file | mod_authn_socache | mod_authz_core | mod_authz_dbd | mod_authz_dbm | mod_authz_groupfile | mod_authz_host | mod_authz_owner | mod_authz_user | mod_autoindex | mod_cache | mod_cache_disk | mod_cache_socache | mod_data | mod_dbd | mod_deflate | mod_dir | mod_dumpio | mod_echo | mod_env | mod_expires | mod_ext_filter | mod_filter | mod_headers | mod_http2 | mod_include | mod_info | mod_log_config | mod_logio | mod_macro | mod_mime_magic | mod_mime | mod_negotiation | mod_remoteip | mod_reqtimeout | mod_request | mod_rewrite | mod_setenvif | mod_slotmem_plain | mod_slotmem_shm | mod_socache_dbm | mod_socache_memcache | mod_socache_shmcb | mod_status | mod_substitute | mod_suexec | mod_unique_id | mod_unixd | mod_userdir | mod_version | mod_vhost_alias | mod_dav | mod_dav_fs | mod_dav_lock | mod_lua | prefork | mod_proxy | mod_lbmethod_bybusyness | mod_lbmethod_byrequests | mod_lbmethod_bytraffic | mod_lbmethod_heartbeat | mod_proxy_ajp | mod_proxy_balancer | mod_proxy_connect | mod_proxy_express | mod_proxy_fcgi | mod_proxy_fdpass | mod_proxy_ftp | mod_proxy_http | mod_proxy_scgi | mod_proxy_wstunnel | mod_ssl | mod_systemd | mod_cgi | mod_perl | mod_fcgid | mod_php5 | Apache/2.4.18 (Fedora) OpenSSL/1.0.2h-fips mod_fcgid/2.3.9 PHP/5.6.22 mod_perl/2.0.9 Perl/v5.22.2 |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (770) | components/ (770) | modules/ (770) | plugins/ (770) | language/ (770) | templates/ (770) | cache/ (770) | logs/ (770) | tmp/ (770) | administrator/components/ (770) | administrator/modules/ (770) | administrator/language/ (770) | administrator/templates/ (770) |

Elevated Permissions (First 10) :: templates/ (770) | templates/atomic/ (770) | templates/atomic/css/ (770) | templates/atomic/css/blueprint/ (770) | templates/atomic/css/blueprint/plugins/ (770) | templates/atomic/css/blueprint/src/ (770) | templates/atomic/images/ (770) | templates/atomic/js/ (770) | templates/atomic/language/ (770) | templates/atomic/language/en-GB/ (770) |
Extensions Discovered :: wrote:Components :: SITE :: Poll (1.0.0) | com_mailto (3.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_newsfeeds (3.0.0) | com_joomlaupdate (3.0.0) | COM_SEXYPOLLING (2.1.1) | com_ajax (3.2.0) | com_content (3.0.0) | com_banners (3.0.0) | com_installer (3.0.0) | com_finder (3.0.0) | com_admin (3.0.0) | com_media (3.0.0) | com_messages (3.0.0) | com_plugins (3.0.0) | com_dictionary (1.00) | com_cache (3.0.0) | com_redirect (3.0.0) | com_checkin (3.0.0) | com_templates (3.0.0) | com_categories (3.0.0) | com_users (3.0.0) | com_login (3.0.0) | JComments (3.0.5) | com_postinstall (3.2.0) | AcePolls (1.0.9) | com_weblinks (2.5.0) | com_modules (3.0.0) | com_cpanel (3.0.0) | com_menus (3.0.0) | com_search (3.0.0) | com_config (3.0.0) | com_languages (3.0.0) | com_tags (3.1.0) | AcyMailing (5.1.0) | AcyMailing Tag : Manage the Su (5.1.0) | AcyMailing Tag : Subscriber in (5.1.0) | AcyMailing Tag : CB User infor (3.7.1) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Tag : Date / Time (5.1.0) | AcyMailing Tag : Joomla User I (5.1.0) | AcyMailing Template Class Repl (5.1.0) | AcyMailing Module (3.7.0) | AcyMailing Editor (5.1.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Manage text (1.0.0) | AcyMailing : share on social n (1.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing : (auto)Subscribe d (5.1.0) | AcyMailing : Statistics Plugin (3.7.0) | SP Polls (1.1) | com_contenthistory (3.2.0) |

Modules :: SITE :: SP Poll (1.1) | mod_related_items (3.0.0) | mod_feed (3.0.0) | mod_articles_categories (3.0.0) | mod_finder (3.0.0) | Hello, World! (1.0.0) | mod_articles_archive (3.0.0) | mod_menu (3.0.0) | Poll (1.0.0) | mod_banners (3.0.0) | Yesterday News! (1.0.0) | mod_tags_popular (3.1.0) | mod_stats (3.0.0) | mod_custom (3.0.0) | Latest Newsletter (1.0.0) | mod_articles_category (3.0.0) | mod_wrapper (3.0.0) | mod_random_image (3.0.0) | AcyMailing Module (3.7.0) | mod_articles_news (3.0.0) | Newsletter Subscriber (1.4) | Front Page Howto's Article (1.0.0) | mod_articles_popular (3.0.0) | EVO frontpage (5.0) | mod_login (3.0.0) | mod_search (3.0.0) | mod_weblinks (2.5.0) | mod_syndicate (3.0.0) | Security Center (2.5.0) | Front Page Feature Article (1.0.0) | mod_languages (3.0.0) | mod_articles_latest (3.0.0) | mod_tags_similar (3.1.0) | mod_footer (3.0.0) | Advisories (1.0.0) | mod_whosonline (3.0.0) | mod_users_latest (3.0.0) | mod_breadcrumbs (3.0.0) | Featured Blog (1.0.0) | Front Page Article (1.0.0) |
Modules :: ADMIN :: mod_latest (3.0.0) | mod_logged (3.0.0) | mod_feed (3.0.0) | mod_status (3.0.0) | mod_menu (3.0.0) | mod_version (3.0.0) | mod_stats_admin (3.0.0) | mod_custom (3.0.0) | mod_title (3.0.0) | mod_submenu (3.0.0) | mod_login (3.0.0) | mod_popular (3.0.0) | mod_multilangstatus (3.0.0) | mod_quickicon (3.0.0) | mod_toolbar (3.0.0) |

Plugins :: SITE :: plg_finder_contacts (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_content (3.0.0) | plg_user_joomla (3.0.0) | plg_user_jcomments (1.0) | plg_user_contactcreator (3.0.0) | plg_user_profile (3.0.0) | plg_editors_codemirror (5.12) | AcyMailing Editor (5.1.0) | plg_editors_tinymce (4.3.3) | plg_quickicon_jcomments (1.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_system_stats (3.5.0) | plg_system_languagefilter (3.0.0) | plg_system_sef (3.0.0) | plg_system_debug (3.0.0) | plg_system_logout (3.0.0) | plg_system_cache (3.0.0) | System - jUpgrade (3.0) | System - osolCaptcha (3) | plg_system_log (3.0.0) | plg_system_remember (3.0.0) | plg_system_jcomments (1.0) | AcyMailing : (auto)Subscribe d (5.1.0) | plg_system_languagecode (3.0.0) | plg_system_p3p (3.0.0) | PLG_SEXYPOLLING_NAME (2.1.1) | plg_system_highlight (3.0.0) | plg_system_redirect (3.0.0) | plg_system_updatenotification (3.5.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : CB User infor (3.7.1) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Joomla User I (5.1.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Template Class Repl (5.1.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Tag : Manage the Su (5.1.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Subscriber in (5.1.0) | AcyMailing Tag : Date / Time (5.1.0) | plg_extension_joomla (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | AcePolls - JomSocial (1.0.0) | AcePolls - Mighty Touch (1.0.0) | AcePolls - AlphaUserPoints (1.0.0) | Search - AcePolls (1.0.0) | plg_search_jcomments (1.0) | plg_search_contacts (3.0.0) | plg_search_tags (3.0.0) | plg_search_categories (3.0.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (3.0.0) | plg_search_content (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_cookie (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_jcommentson (1.0) | plg_editors-xtd_jcommentsoff (1.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_module (3.5.0) | plg_content_loadmodule (3.0.0) | plg_content_finder (3.0.0) | plg_content_joomla (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_geshi (2.5.0) | plg_content_emailcloak (3.0.0) | plg_content_vote (3.0.0) | plg_content_jcomments (1.0) | Content - Load AcePolls (1.0.0) | plg_content_pagebreak (3.0.0) | plg_captcha_recaptcha (3.4.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | protostar (1.0) | beez3 (3.1.0) | beez_20 (2.5.0) | beez5 (2.5.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) | bluestork (2.5.0) |

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18179
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Recommended file/directory permissions

Postby leolam » Thu Sep 08, 2016 6:07 pm

Ok so now again... your file and folder permissions are wrong.

If you want to set different permissions for files and directories you use:
find -type d -exec chmod 755 {} \;
find -type f -exec chmod 644 {} \;
This sets recursively the folder permissions to 755 (770 is wrong!) and files to "644"

You need to recompile and compile with:
* mbstring (needed for Joomla)
* mcrypt (needed for Joomla passowrd mechanism)
* mod_security (this is a must for security) and install Modsecurity Control https://www.configserver.com/cp/cmc.html
* Suhosin (hardened PHP)
* SuPHP

+ Set maximum execution time = 90
+ Set Max. Upload Size = 20 MB/50MB/100MB whatever you want but 2 MB is too small and will cause larger extension installations to fail (same for max. post size (value too small)

--> Update all extensions... Many are outdated

For the rest I have more but that is beyond the scope of a forum post. We provide 'cPanel Server Secure &Tuning' which you can purchase from our website in you want 1:1 assistance on the box

Hope this helps

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

ggossamer
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Wed Sep 29, 2010 4:50 pm

Re: Recommended file/directory permissions

Postby ggossamer » Thu Sep 08, 2016 6:22 pm

leolam wrote:Ok so now again... your file and folder permissions are wrong.

If you want to set different permissions for files and directories you use:
find -type d -exec chmod 755 {} \;
find -type f -exec chmod 644 {} \;
This sets recursively the folder permissions to 755 (770 is wrong!) and files to "644"


One thing your script apparently does not reveal about the system is that the directories are sgid as the web user and the files are owned by the web user, so 770 is okay.

You need to recompile and compile with:
* mbstring (needed for Joomla)
* mcrypt (needed for Joomla passowrd mechanism)
* mod_security (this is a must for security) and install Modsecurity Control https://www.configserver.com/cp/cmc.html
* Suhosin (hardened PHP)
* SuPHP


The system is running fedora, so it's an easy process to install these packages. I've now installed them without any recompiling or compiling necessary.

--> Update all extensions... Many are outdated


This is a joomla-3.5.1 install. Is there something in the script output that shows which extensions are outdated as part of the default install? The admin interface shows only two extensions that have updates pending. Which others are outdated?

For the rest I have more but that is beyond the scope of a forum post. We provide 'cPanel Server Secure &Tuning' which you can purchase from our website in you want 1:1 assistance on the box

Hope this helps

Leo 8)


Thanks for your help.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18179
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Recommended file/directory permissions

Postby leolam » Fri Sep 09, 2016 3:51 am

770 is not ok but it is up to you to get whacked which you will since Joomla 3.5.1 is vulnerable and should be the first thing to upgrade to Joomla 3.6.0 followed by an upgrade of the extension 'com_Joomlaupdate' (use discover once on J3.6.0) followed by upgrade from J3.6.0 to J3.6.2.

Besides that you have many extensions that are outdated. Not all extensions use the "update" detection so they won't be listed. You have to manually check versions with the providers of the extensions

Good luck

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

MagicJackTing
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Jun 30, 2017 8:48 am

Re: Recommended file/directory permissions

Postby MagicJackTing » Fri Jun 30, 2017 10:16 am

If you're using a linux box, please just forget command "chmod", what it had set is just for a 'logined user'.
It's recommended to use 'seLinux' to enhance web server security of your joomla site.
Most linux variations are now enable 'seLinux' by default.
by command "ls -Z", you can see settings of your joomla folders, following are example outputs

Code: Select all

# ls -Z
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 administrator
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 bin
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 cache
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 cli
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 components
-r--r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 configuration.php
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 htaccess.txt
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 images
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 includes
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.php
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 language
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 layouts
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 libraries
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 LICENSE.txt
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 logs
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 media
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 modules
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 plugins
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 README.txt
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 robots.txt
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 robots.txt.dist
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 scripts
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 templates
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 tmp
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 web.config.txt


1. you should change owner:group of every files/folders to apache:apache (by command chown). The user 'apache' should be a non-login-able user in your box.
2. you should change every files/folders to 'httpd_sys_content_t' by command chcon

Code: Select all

# chcon -R -t httpd_sys_content_t joomla

3. and there's some other exceptions:

Code: Select all

# chcon -Rv -t httpd_cache_t          joomla/administrator/cache
# chcon -Rv -t httpd_cache_t          joomla/cache
# chcon -Rv -t httpd_sys_log_t        joomla/logs
# chcon -Rv -t httpd_sys_rw_content_t joomla/tmp

4. if you are using extplorer module, and want to view files in joomla/logs use httpd_sys_rw_content_t instead.

The most important:
1. do not just turn off 'seLinux'
2. do not just turn off httpd_unified flag of 'seLinux'
if you read them on other post.


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: fcoulter and 8 guests