Joomla 1.5 Directory Status: Writeable

Joomla 1.5 is acting flaky on one of our installations because the directories are set to ‘unwriteable’. To see the their current state, log in as Super Administrator and go to Help > System Info > Directory Permissions.

To fix this problem, first make sure the FTP access is working. Try re-entering the FTP user name and password at Site> Global Configuration> Server. 

If this doesn't fix the problem, you must make some additional changes. Earlier, I suggested that the specified directories must be set to “world-writeable” (777). This works, but is less than ideal, since it means anyone can change your files! Not cool. I've kept my original suggestions (below) but this is "deprecated" for the more sophisticated user and group permissions settings.

Fixing Security with User and Group Settings

To perform these changes, you need shell (command line) access to your server. If you don't have it, you can beg your host to make these changes for you, or switch to a Joomla-friendly host. I'm going to assume that you are using a LAMP (Linux/Apache/MySQL/PHP) server because if you're not, then ... well, these instructions should work in principle, but the specifics for your server may be quite different.

Here's the issue: you, the FTP user, need full access to your files. So does Joomla, which accesses your files through the web server. Now, most web server configurations don't assign the web server to the group that's automatically assigned to your FTP files. If the web server isn't in the group that has write access to your files, then you have to give everyone write access to your files -- that's not good.

So, we are going to add the web  server to the group that is automatically assigned to files that you, as an FTP user, create or modify. These instructions refer to a web server running Plesk, because that's what we use, so the specifics of your LAMP server may be different -- mostly the path names will be different, although this is true between different versions of Plesk, too. So, check your paths and make sure you understand what you are doing.

Here's how to do it:

• Set up the FTP server so the default file permissions are 775, using the umask setting
• Add the web server, apache, to the default group assigned to your files 
• Change the permissions of the existing files.

On our servers, we change the umask in ‘/etc/proftpd.conf’ to ‘002′ in order to set the default file permissions for files created in FTP to 775. For details, you can Google umask.

Logged in as root, enter this command to edit the FTP server configuration file:

nano /etc/proftpd.conf

Make the required change and then save the file. Hint: make a backup first!

Add the Web Server to the Default FTP Group

On our Plesk servers, the web server is "apache" and the default group is "psacln". So, we need to add the ‘apache’ user to the ‘psacln’ group. Once again, logged in as root, enter this command:1

usermod -G psacln apache

Now, we just need to ensure that all of the existing files are set up correctly. Here's how we do it:

cd /var/www/vhosts/[domain.com]
chown -R [username]:psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;

The last command is extra sweet: it finds all the directories in the "httpdocs" directory, and then runs the required "chmod" command on each one.  This chmod command sets the "set groupid" for all the directories so:

all new files will be owned by the group of the parent directory instead of the current shell.

 -- Group Sharing A Directory

Original Instructions: Not Secure!

DO NOT USE THE FOLLOWING INSTRUCTIONS! I've kept them here so you can compare them with the recommended "user & group" approach listed above.  

If all you have is an FTP client that lets you set permissions, log in via FTP and set the permissions for the "unwriteable" directories. If you have bash shell access, you can do it with one magic command.

Log in via ssh and use cd to navigate to the Joomla root installation directory. Then, simply paste this command at the bash prompt:

for i in ‘administrator cache components images language modules plugins tmp templates ’; do chmod -R 777 $i ; done

This is a nice example of using a for loop to march through an arbitrary list.

Note that turning Safe Mode on or off does not have any effect on this. Not like version 1.0, where the file permission issue was fixed by turning Safe Mode off. Now, in Joomla 1.5, file access is controlled entirely by FTP and file permission settings on the web server.

Configuring Joomla Safe Mode on a Plesk box

At Cadent, we use Parallels Plesk Control Panel Software for Hosting on our servers (we’ve also used the open source Webmin and the commercial CPanel). Plesk has a great user interface, which our clients appreciate.

It also imposes its own way of doing things, which can be a bit of a pain when tracking down subtle issues with server configuration. Because Plesk rewrites many configuration files automatically, it’s really critical to ensure that I make any manual changes to the server configuration in the right place, or Plesk will overwrite my efforts without remorse.

The issue we needed to address was this: we installed Joomla! 1.0 on our development server, and Joomla reported the following configuration problems:
        •        Safe mode was on, needs to be off.
        •        The session directory was unwriteable.
PHP: Safe Mode is a global setting allows only a file's owner or group to execute the script or read a file. Clearly, this is a good thing for security reasons, but it is now officially deprecated in PHP 6, since it is not "architecturally" correct. Nevertheless, Joomla 1.0 wants it off. Since the server hosts multiple domains, we don’t want to turn off safe mode for the entire server, by changing the settings in /etc/php.ini. Instead, we want to implement it “locally,” as Joomla terms it. In Joomla 1.0, you can compare the local and master settings for PHP on the PHP Info tab, available from the administrator interface via System > System Info.

The session directory issue was also thornier than expected. After logging in as root and changing the permissions for the specified directory, and restarting Apache, Joomla still refused to recognize the changed status of the session directory -- even though I could see Joomla writing session files to the specified directory!

I logged in to the bash shell via ssh to check the directory permissions. A simple bash command lists permissions by file:

# ls -lh /var/www/vhosts/domain.com/httpdocs/
...
drwxr-xr-x 9 ftplogin psacln 4.0K Mar 11 10:42 administrator
drwxrwxrwx 2 ftplogin psacln 4.0K Mar 11 10:42 cache
-rw-r--r-- 1 ftplogin psacln 103K Mar 11 10:42 CHANGELOG.php
drwxrwxrwx 18 ftplogin psacln 4.0K Mar 18 02:52 components
...

The user name “ftplogin” is the account that uploads & maintains the file via FTP, and “psacln” is the Plesk group for ... something. Anyway, neither of these are “apache” and that’s the account that needs to execute the PHP scripts for Joomla to run.

At first, I thought there might be some conflict with PHP’s openbasedir (see the PHP: Safe Mode - Manual for details) but after checking to ensure that the session directory was in the openbasedir path, we determined the problem was elsewhere. Since openbasedir is associated with Safe Mode in PHP, it made sense to try to fix the Safe Mode issue first.

At first glance, this seems the perfect opportunity to use .htaccess files, but for some reason, this didn’t work. I turned to the Apache configuration files. The master configuration file, in /etc/httpd/conf/httpd.conf, is certainly not the place to make local settings changes. Plesk stores domain-level Apache configuration settings in

/var/www/vhosts/<domainname>/conf/httpd.include

but this isn’t the place to make changes either, as noted in the file header:

[root@domain.com ~]# cat /var/www/vhosts/domain.com/conf/httpd.include | head -8
# ATTENTION!
# DO NOT MODIFY THIS FILE OR ANY PART OF IT. THIS CAN RESULT IN IMPROPER PLESK
# FUNCTIONING OR FAILURE, CAUSE DAMAGE AND LOSS OF DATA. IF YOU REQUIRE CUSTOM
# MODIFICATIONS TO BE APPLIED TO THE CONFIGURATION, PLEASE, PERFORM THEM IN THE
# FOLLOWING FILE(S):
# /var/www/vhosts/domain.com/conf/vhost.conf
# /var/www/vhosts/domain.com/conf/vhost_ssl.conf
# /var/www/vhosts/domain.com/subdomains/<subdomain-name>/conf/vhost.conf

Note that I’ve substituted the generic “domain.com” for our actual domain name.

Since we are staging the site in a subdomain, I looked into the last option. After some difficulty, like the malformed config file that I wrote that prevented Apache from restarting, I succeeded with these steps:
        1.        Create a vhost.conf file with the correct directive in the specified directory.
        2.        Tell Plesk about the new vhost.conf file.
        3.        Restart Apache.
Those steps, executed correctly, fixed both the Safe Mode and the session directory issues. Here’s what I did at the command line, logged in as root (using ssh, obviously!)

Create vhost.conf file

Create the new file.

[root@server ~]# nano /var/www/vhosts/domain.com/subdomains/<subdomain-name>/conf/vhost.conf

Enter:

<Directory /var/www/vhosts/domain.com/subdomains/<subdomain-name>/httpdocs>
php_admin_flag safe_mode off
</Directory>

Save & exit.

Tell Plesk about the new vhost.conf file

[root@server ~]# /usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=domain.com

Restart Apache

[root@server ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

Finally, check the settings in Joomla (System > System Info) -- all set!

Deskbar Search in Ubuntu Gnome

If you use a Mac at all, you know the value of a handy search interface like Spotlight or Quicksilver. The Gnome Deskbar delivers similar features to the Ubuntu desktop, or any other Gnome desktop, for that matter.

See also:

• Dick Wall's Blog: Deskbar - Ubuntu's answer to spotlight
• Katapult - KDE's answer to Deskbar
  

Archiving and Compression

A page of many sample uses of the tar command to illustrate the most useful options with real-world examples.

TrueCrypt ships version 5.0 today

Version 5.0 of the free, open-source and cross-platform encryption program TrueCrypt is now available for download and installation for Windows, Mac OS, and Linux.

TrueCrypt:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
  

Further information regarding features of the software may be found in the documentation.

Virus scan Windows using a Linux live CD

[There's been quite a bit of interest in this post and I've expanded on it quite a bit. Please post any comments or questions to help me improve this guide.

- Neil]

Keith and I have both run into situations where we want to recover a Windows computer by cleaning it up with a Linux Live (bootable) CD distro. This offers several advantages to cleaning up an infected or compromised computer by booting into Windows:

• It prevents the malware, if it exists, from jumping from the infected computer or partition we are trying to fix to the repair partition or boot medium.
• If we boot from a CD, there's actually no way to alter the boot medium, since it's read-only.
  

Naturally, we started with Knoppix -- download it here. Installing and scanning with F-Prot is covered in this Knoppix.net discussion thread, Virus Scan from LiveCD, which describes how to install F-Prot from the command line using apt-get.

Also, In Knoppix 5.1, you can boot from the Knoppix CD and install F-Prot with the Synaptic Package Manager:

1. Run Synaptic Package Manager: K > KNOPPIX >Manage Software in KNOPPIX (kpackage)
2. Click Search.
3. Type f-prot in the Search: field and click [Search]
4. Check f-prot-installer
   
5. Click [Apply Changes]
   
6. Open Details on the Applying Changes dialog box by click on the little triangle.
   
7. the F-Prot installer prompts you in the Details box. Select Download and install and select [OK] (use the Tab key and Return to make selections)

I had trouble with both of these methods because some repositories were not available, particularly the one that provided f-prot!

I went straight to the source, from F-Prot: Download F-PROT Antivirus for Linux Workstations.

I downloaded the Perl-based installer, which also happens to have the largest version number (6.01, today), to my Knoppix Home directory. To install F-prot:

1. Right-click on the downloaded tgz file and select Extract Here. This should create a directory in your home directory called f-prot.
2. cd f-prot/
3. ./install-f-prot.pl
   
4. Just accept the default choices during the installation, unless you have a reason not to. The installer will download the latest definition files.

Then, mount the volumes you want to scan by opening the icons on the Knoppix desktop. Go back to your command prompt and type

fpscan /media/hda1

replacing "/media/hda1" with the path to the drive you want to scan. Enter fpscan by itself at the command prompt to see a list of options. The f-prot directory also contains documentation (f-prot/doc/html if you want to use a browser).

Remember, everything disappears when you reboot, so if you don't want to have to download the F-Prot installer, copy the compressed (tgz) file to a USB drive. Then, when it's time to install it again, just boot from Knoppix, copy the tgz file to the Knoppix home directory, and then follow the steps above. Note you still need a live Internet connection to get the latest definition files.

We explored using ClamAV, which is included in Knoppix 5.1 but is not up-to-date with the latest definitions. To update ClamAV (sudo freshclam) it turns out you need to update the libc6 libraries first, which is such a pain and so time-consuming that I ended up just using F-Prot, following the steps above (although Keith and I were able to scan a laptop with ClamAV after running through an incredibly complex update procedure). Thanks to Paul for the comment on the ClamAV issue, below. If you have any more comments or questions about this procedure, let me know.

Squeak, Seaside, Pier, and Smalltalk

Here is one interesting software development environment, especially for web applications.

Squeak is an open source implementation of Smalltalk. Seaside is a Web Framework for developing web applications in Squeak. Pier is a CMS built on Seaside. DabbleDB is also built on Seaside -- an incredibly impressive web app.

So far, I've installed it on my Mac iFive (OS X 10.4.10).