Joomla 1.5 is acting flaky on one of our installations because the directories are set to ‘unwriteable’. To see the their current state, log in as Super Administrator and go to Help > System Info > Directory Permissions.
To fix this problem, first make sure the FTP access is working. Try re-entering the FTP user name and password at Site> Global Configuration> Server.
If this doesn't fix the problem, you must make some additional changes. Elsewhere, it's been suggested that the specified directories must be set to “world-writeable” (777). This works, but it is a very bad idea, since it means anyone can change your files! Not cool.
Fixing Security with User and Group Settings
To perform these changes, you need shell (command line) access to your server. If you don't have it, you can beg your host to make these changes for you, or switch to a Joomla-friendly host. I'm going to assume that you are using a LAMP (Linux/Apache/MySQL/PHP) server because if you're not, then ... well, these instructions should work in principle, but the specifics for your server may be quite different.
Here's the issue: you, the FTP user, need full access to your files. So does Joomla, which accesses your files through the web server. Now, most web server configurations don't assign the web server to the group that's automatically assigned to your FTP files. If the web server isn't in the group that has write access to your files, then you have to give everyone write access to your files -- that's not good.
So, we are going to add the web server to the group that is automatically assigned to files that you, as an FTP user, create or modify. These instructions refer to a web server running Plesk, because that's what we use, so the specifics of your LAMP server may be different -- mostly the path names will be different, although this is true between different versions of Plesk, too. So, check your paths and make sure you understand what you are doing.
Here's how to do it:
- Set up the FTP server so the default file permissions are 770, using the umask setting
- Add the web server, apache, to the default group assigned to your files
- Change the permissions of the existing files.
On our servers, we change the umask in ‘/etc/proftpd.conf’ to ‘007′ in order to set the default file permissions for files created in FTP to 770. For details, you can Google umask.
Logged in as root, enter this command to edit the FTP server configuration file:
nano /etc/proftpd.conf
Make the required change and then save the file. Hint: make a backup first!
Make the required change and then save the file. Hint: make a backup first!
Add the Web Server to the Default FTP Group
This is really the critcial step, which allows Joomla access to your files via the permissions that are granted to the web server (in this case, Apache). To proceed, you need to know:
On our Plesk servers, the web server is "apache" and the default group is "psacln". So, we need to add the ‘apache’ user to the ‘psacln’ group. Once again, logged in as root, enter this command:
Change the permissions of the existing files
Now, we just need to ensure that all of the existing files are set up correctly. Here's how we do it:
- Which user account is assigned to the web server?
- Which group account does Plesk use to manage your site?
ps aux | grep httpdTo determine the default group Plesk assigns to files, log in via ssh or FTP to view your Joomla files and check the group name (I use "ls -lha" at the command line).
On our Plesk servers, the web server is "apache" and the default group is "psacln". So, we need to add the ‘apache’ user to the ‘psacln’ group. Once again, logged in as root, enter this command:
usermod -G psacln apacheYou should also use the same command to add the psaftp and psaadm users to the psacln group. You can also edit the /etc/groups file directly to the same effect.
Change the permissions of the existing files
Now, we just need to ensure that all of the existing files are set up correctly. Here's how we do it:
cd /var/www/vhosts/[domain.com]The find command is extra sweet: it finds all the directories or files in the "httpdocs" directory, and then runs the required "chmod" command on each one. The chmod command "g+s" sets the "set groupid" for all the directories so that, for FTP uploads,:
chown -R [username]:psacln httpdocs
chmod 770 httpdocs
find httpdocs -type d -exec chmod 770 {} \;
find httpdocs -type d -exec chmod g+s {} \;
find httpdocs -type f -exec chmod 640 {} \;
all new files will be owned by the group of the parent directory instead of the current shell.
When you are done updating the permissions, you should probably restart Apache to ensure it re-reads the updated file permissions. From the command line:
apachectl -k gracefulTesting
You can see if your permissions are set correctly using several tests:
- On the UNIX command line, via ssh: cd to the directory that contains your Joomla installation, and then enter: ls -lha to check the current permissions for all of the files. If you've followed the steps above, the file permissions should appear like this: -rwxrwx---
- Use your favorite FTP program to log onto the site, and then check file permissions. Both the user and the group should have full permissions, and everyone should have no permissions.
- Log into the Joomla 1.5 administrator interface, and select Help > System Info > Directory Permissions -- everything should appear as "writeable."
Sadly, all of the work above still does not lead to a fully workable Joomla installation! In addition, I had to install the PHP mod_suphp module on the server. As root:
yum install mod_suphpI then configured this module according to the suggestions in HOW-TO Setup a PLESK Dedicated Server.
Note that turning Safe Mode on or off does not have any effect on Joomla 1.5 security, unlike version 1.0, where the file permission issue was fixed by turning Safe Mode off. Now, in Joomla 1.5, file access is controlled entirely by FTP and file permission settings on the web server.
See Also
8 comments:
Thank you for these great and clear instructions. Although, I still do not find a service provider kin on doing these changes for me as a regular client.
Do you have a recommendation for a hosting service that is correctly configured for Joomla 1.5?
It's difficult to find a good Joomla host. That's why my company hosts all of our Joomla sites! We also work with other hosting providers to handle different types of hosting outside of our area of expertise. Without knowing more about your hosting requirements, I'm reluctant to make a recommendation for hosting. So, you can go to the Cadent web site and use the Contact Us form to follow up if you want to discuss this further with me.
Wow, I would be reluctant to CHMOD the site to 0777!
Now have a working install which I am testing. On the domain www.sl4me everything seems to work. Although obviously I still need to configure a few things and complete tests.
I run Virtuozzo & Plesk on a VPS, I do not have SSH access!
For others this is how I did it:
- FTP Joomla up onto the server
- Setup Joomla, but not the FTP Layer (this doesn't work)
- When you get to the end copy the code for configuration.php
- FTP in and create a file called configuration.php and paste the clipboard into it
- CHMOD config.php to 777 for now
- Log in to Virtuosso
- Use File Manager to go to the site
- Change the owner of the following directories to www-data and the group to www-data:
- - administrator/backups/
- - administrator/components/
- - administrator/language/
- - administrator/language/en-GB/
- - administrator/modules/
- - administrator/templates/
- - components/
- - images/
- - images/banners/
- - images/stories/
- - language/
- - language/en-GB/
- - language/pdf_fonts/
- - media/
- - modules/
- - plugins/
- - plugins/content/
- - plugins/editors/
- - plugins/editors-xtd/
- - plugins/search/
- - plugins/system/
- - plugins/user/
- - plugins/xmlrpc/
- - tmp/
- - templates/
- - Cache Directory /var/www/vhosts/yoursite/httpdocs/cache/
- - Cache Directory /var/www/vhosts/yoursite/httpdocs/administrator/cache/
- Continue to configure site (if using Fireboard you need to ftp files and change the directory owner as above)
- Finally CHMOD config.php to 444
Actually different servers seem to have different users and groups so if you don't have www-data:www-data then look for apache:apache.
I hope this helps.
Thanks for the post above, but I'd suggest that you read the original post (above) where I don't recommend that you use 0777 permissions!
I don't see why you suggest we set the umask to 007. The default 022 seems like a more sensible and safer choice.
Additionally, at the end you suggest installing mod_suphp anyway, which supposedly solves the problems you were trying to solve with all the other changes in the first place.
Am I missing something?
Krik & others have noted some confusing aspects to this post. Since I first posted, my company has refined our techniques for controlling permissions. I'm working on an update to this article, so please subscribe to my feed if you want to receive a notice when the updated version comes out.
Where can you find someone to hire to do this for you. I have a large network site of all Joomla and need my permission on my dedicated server to work properly. I don't trust myself to resolve this and honestly I thought my hosting service was going to help me with this but turns out they are not. So now I have no experience or knowledge in how to do this. I'll happily pay someone, just don't know where to find them...
If you'd like my company to help you with this, please use the Cadent Contact Us form to let us know the details of your project.
Neil
Post a Comment