Monday, March 17, 2008

Joomla 1.5 Directory Status: Writeable

Joomla 1.5 is acting flaky on one of our installations because the directories are set to ‘unwriteable’. To see the their current state, log in as Super Administrator and go to Help > System Info > Directory Permissions.

To fix this problem, first make sure the FTP access is working. Try re-entering the FTP user name and password at Site> Global Configuration> Server. 

If this doesn't fix the problem, you must make some additional changes. Earlier, I suggested that the specified directories must be set to “world-writeable” (777). This works, but is less than ideal, since it means anyone can change your files! Not cool. I've kept my original suggestions (below) but this is "deprecated" for the more sophisticated user and group permissions settings.

Fixing Security with User and Group Settings

To perform these changes, you need shell (command line) access to your server. If you don't have it, you can beg your host to make these changes for you, or switch to a Joomla-friendly host. I'm going to assume that you are using a LAMP (Linux/Apache/MySQL/PHP) server because if you're not, then ... well, these instructions should work in principle, but the specifics for your server may be quite different.


Here's the issue: you, the FTP user, need full access to your files. So does Joomla, which accesses your files through the web server. Now, most web server configurations don't assign the web server to the group that's automatically assigned to your FTP files. If the web server isn't in the group that has write access to your files, then you have to give everyone write access to your files -- that's not good.

So, we are going to add the web  server to the group that is automatically assigned to files that you, as an FTP user, create or modify. These instructions refer to a web server running Plesk, because that's what we use, so the specifics of your LAMP server may be different -- mostly the path names will be different, although this is true between different versions of Plesk, too. So, check your paths and make sure you understand what you are doing.

Here's how to do it:
  • Set up the FTP server so the default file permissions are 775, using the umask setting
  • Add the web server, apache, to the default group assigned to your files 
  • Change the permissions of the existing files.
On our servers, we change the umask in ‘/etc/proftpd.conf’ to ‘002′ in order to set the default file permissions for files created in FTP to 775. For details, you can Google umask.

Logged in as root, enter this command to edit the FTP server configuration file:

nano /etc/proftpd.conf

Make the required change and then save the file. Hint: make a backup first!

Add the Web Server to the Default FTP Group

On our Plesk servers, the web server is "apache" and the default group is "psacln". So, we need to add the ‘apache’ user to the ‘psacln’ group. Once again, logged in as root, enter this command:1

usermod -G psacln apache

Now, we just need to ensure that all of the existing files are set up correctly. Here's how we do it:

cd /var/www/vhosts/[domain.com]
chown -R [username]:psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;


The last command is extra sweet: it finds all the directories in the "httpdocs" directory, and then runs the required "chmod" command on each one.  This chmod command sets the "set groupid" for all the directories so:
all new files will be owned by the group of the parent directory instead of the current shell.

Original Instructions: Not Secure!

DO NOT USE THE FOLLOWING INSTRUCTIONS! I've kept them here so you can compare them with the recommended "user & group" approach listed above.  

If all you have is an FTP client that lets you set permissions, log in via FTP and set the permissions for the "unwriteable" directories. If you have bash shell access, you can do it with one magic command.

Log in via ssh and use cd to navigate to the Joomla root installation directory. Then, simply paste this command at the bash prompt:

for i in ‘administrator cache components images language modules plugins tmp templates ’; do chmod -R 777 $i ; done

This is a nice example of using a for loop to march through an arbitrary list.

Note that turning Safe Mode on or off does not have any effect on this. Not like version 1.0, where the file permission issue was fixed by turning Safe Mode off. Now, in Joomla 1.5, file access is controlled entirely by FTP and file permission settings on the web server.

0 comments: