[UPDATED]
Joomla 1.5 is acting flaky on one of our installations because the directories are set to ‘unwriteable’. To see the their current state, log in as Super Administrator and go to
Help > System Info > Directory Permissions.
To fix this problem, first make sure the FTP access is working. Try re-entering the FTP user name and password at Site> Global Configuration> Server.
If this doesn't fix the problem, you must make some additional changes. Elsewhere, it's been suggested that the specified directories must be set to “world-writeable” (777). This works, but it is a
very bad idea, since it means anyone can change your files! Not cool.
Fixing Security with User and Group SettingsTo perform these changes, you need shell (command line) access to your server. If you don't have it, you can beg your host to make these changes for you, or switch to a Joomla-friendly host. I'm going to assume that you are using a LAMP (Linux/Apache/MySQL/PHP) server because if you're not, then ... well, these instructions should work in principle, but the specifics for your server may be quite different.
Here's the issue: you, the FTP user, need full access to your files. So does Joomla, which accesses your files through the web server. Now, most web server configurations don't assign the web server to the group that's automatically assigned to your FTP files. If the web server isn't in the group that has write access to your files, then you have to give everyone write access to your files -- that's not good.
So, we are going to add the web server to the group that is automatically assigned to files that you, as an FTP user, create or modify. These instructions refer to a web server running Plesk, because that's what we use, so the specifics of your LAMP server may be different -- mostly the path names will be different, although this is true between different versions of Plesk, too. So, check your paths and make sure you understand what you are doing.
Here's how to do it:
- Set up the FTP server so the default file permissions are 770, using the umask setting
- Add the web server, apache, to the default group assigned to your files
- Change the permissions of the existing files.
On our servers, we change the umask in ‘/etc/proftpd.conf’ to ‘007′ in order to set the default file permissions for files created in FTP to 770. For details, you can
Google umask.
Logged in as root, enter this command to edit the FTP server configuration file:
nano /etc/proftpd.conf
Make the required change and then save the file. Hint: make a backup first!
Add the Web Server to the Default FTP Group
This is really the critcial step, which allows Joomla access to your files via the permissions that are granted to the web server (in this case, Apache). To proceed, you need to know:
- Which user account is assigned to the web server?
- Which group account does Plesk use to manage your site?
To determine the user account for the web server, enter this command at the bash prompt:
ps aux | grep httpd
To determine the default group Plesk assigns to files, log in via ssh or FTP to view your Joomla files and check the group name (I use "ls -lha" at the command line).
On our Plesk servers, the web server is "apache" and the default group is "psacln". So, we need to add the ‘apache’ user to the ‘psacln’ group. Once again, logged in as root, enter this command:
usermod -G psacln apache
You should also use the same command to add the psaftp and psaadm users to the psacln group. You can also edit the /etc/groups file directly to the same effect.
Change the permissions of the existing filesNow, we just need to ensure that all of the existing files are set up correctly. Here's how we do it:
cd /var/www/vhosts/[domain.com]
chown -R [username]:psacln httpdocs
chmod 770 httpdocs
find httpdocs -type d -exec chmod 770 {} \;
find httpdocs -type d -exec chmod g+s {} \;
find httpdocs -type f -exec chmod 640 {} \;
The find command is extra sweet: it finds all the directories or files in the "httpdocs" directory, and then runs the required "chmod" command on each one. The chmod command "g+s" sets the "set groupid" for all the directories so that, for FTP uploads,:
all new files will be owned by the group of the parent directory instead of the current shell.
When you are done updating the permissions, you should probably restart Apache to ensure it re-reads the updated file permissions. From the command line:
apachectl -k graceful
Testing
You can see if your permissions are set correctly using several tests:
- On the UNIX command line, via ssh: cd to the directory that contains your Joomla installation, and then enter: ls -lha to check the current permissions for all of the files. If you've followed the steps above, the file permissions should appear like this: -rwxrwx---
- Use your favorite FTP program to log onto the site, and then check file permissions. Both the user and the group should have full permissions, and everyone should have no permissions.
- Log into the Joomla 1.5 administrator interface, and select Help > System Info > Directory Permissions -- everything should appear as "writeable."
Joomla Component Installations and File Uploads
Sadly, all of the work above still does not lead to a fully workable Joomla installation! In addition, I had to install the PHP mod_suphp module on the server. As root:
yum install mod_suphp
I then configured this module according to the suggestions in HOW-TO Setup a PLESK Dedicated Server.
Note that turning Safe Mode on or off does not have any effect on Joomla 1.5 security, unlike version 1.0, where the file permission issue was fixed by turning Safe Mode off. Now, in Joomla 1.5, file access is controlled entirely by FTP and file permission settings on the web server.
See Also
