[UPDATED]
Joomla 1.5 is acting flaky on one of our installations because the directories are set to ‘unwriteable’. To see the their current state, log in as Super Administrator and go to Help > System Info > Directory Permissions.
Elsewhere, it's been suggested that the specified directories must be set to “world-writeable” (777). This works, but it is a very bad idea, since it means anyone can change your files! Not cool.
Fixing Security with User and Group Settings
To perform these changes, you need shell (command line) access to your server. If you don't have it, you can beg your host to make these changes for you, or switch to a Joomla-friendly host. I'm going to assume that you are using a LAMP (Linux/Apache/MySQL/PHP) server because if you're not, then ... well, these instructions should work in principle, but the specifics for your server may be quite different.
Here's the issue: you, the FTP user, need full access to your files. So does Joomla, which accesses your files through the web server. Now, most web server configurations don't assign the web server to the group that's automatically assigned to your FTP files. If the web server isn't in the group that has write access to your files, then you have to give everyone write access to your files -- that's not good.
So, we are going to add the web server to the group that is automatically assigned to files that you, as an FTP user, create or modify. These instructions refer to a web server running Plesk, because that's what we use, so the specifics of your LAMP server may be different -- mostly the path names will be different, although this is true between different versions of Plesk, too. So, check your paths and make sure you understand what you are doing.
Here's how to do it:
- Set up the FTP server so the default file permissions are 640, using the umask setting
- Add the web server, apache, to the default group assigned to your files
- Change the permissions of the existing files.
On our servers, we change the umask in ‘/etc/proftpd.conf’ to ‘137′ in order to set the default file permissions for files created in FTP to 640. For details, you can Google umask.
Logged in as root, enter this command to edit the FTP server configuration file:
nano /etc/proftpd.conf
Make the required change and then save the file. Hint: make a backup first!
Add the Web Server to the Default FTP Group
This is really the critcial step, which allows Joomla access to your files via the permissions that are granted to the web server (in this case, Apache). To proceed, you need to know:
- Which user account is assigned to the web server?
- Which group account does Plesk use to manage your site?
ps aux | grep httpdTo determine the default group Plesk assigns to files, log in via ssh or FTP to view your Joomla files and check the group name (I use "ls -lha" at the command line). On our Plesk servers, the web server is "apache" and the default group for web directories is "psacln". So, we need to add the apache user to the psacln group. Once again, logged in as root, back up /etc/group and then enter this command:
usermod -G psacln apacheYou should also use the same command to add the psaftp and psaadm users to the psacln group. You can also edit the /etc/group file directly to the same effect. Change the permissions of the existing files Now, we just need to ensure that all of the existing files are set up correctly. Here's how we do it:
cd /var/www/vhosts/[domain.com] chown -R [username]:psacln httpdocs chmod 770 httpdocs find httpdocs -type d -exec chmod 770 {} \; find httpdocs -type d -exec chmod g+s {} \; find httpdocs -type f -exec chmod 640 {} \;The find command is extra sweet: it finds all the directories or files in the "httpdocs" directory, and then runs the required "chmod" command on each one. The chmod command "g+s" sets the "set groupid" for all the directories so that, for FTP uploads,:
all new files will be owned by the group of the parent directory instead of the current shell.
When you are done updating the permissions, you should probably restart Apache to ensure it re-reads the updated file permissions. From the command line:
apachectl -k gracefulTesting You can see if your permissions are set correctly using several tests:
- On the UNIX command line, via ssh: cd to the directory that contains your Joomla installation, and then enter: ls -lha to check the current permissions for all of the files. If you've followed the steps above, the file permissions should appear like this: -rwxrwx---
- Use your favorite FTP program to log onto the site, and then check file permissions. Both the user and the group should have full permissions, and everyone should have no permissions.
- Log into the Joomla 1.5 administrator interface, and select Help > System Info > Directory Permissions -- everything should appear as "writeable."
yum install mod_suphpI then configured this module according to the suggestions in HOW-TO Setup a PLESK Dedicated Server.
Note that turning Safe Mode on or off does not have any effect on Joomla 1.5 security, unlike version 1.0, where the file permission issue was fixed by turning Safe Mode off. Now, in Joomla 1.5, file access is controlled entirely by FTP and file permission settings on the web server.
See Also
Comments
Do you have a recommendation for a hosting service that is correctly configured for Joomla 1.5?
Now have a working install which I am testing. On the domain www.sl4me everything seems to work. Although obviously I still need to configure a few things and complete tests.
I run Virtuozzo & Plesk on a VPS, I do not have SSH access!
For others this is how I did it:
- FTP Joomla up onto the server
- Setup Joomla, but not the FTP Layer (this doesn't work)
- When you get to the end copy the code for configuration.php
- FTP in and create a file called configuration.php and paste the clipboard into it
- CHMOD config.php to 777 for now
- Log in to Virtuosso
- Use File Manager to go to the site
- Change the owner of the following directories to www-data and the group to www-data:
- - administrator/backups/
- - administrator/components/
- - administrator/language/
- - administrator/language/en-GB/
- - administrator/modules/
- - administrator/templates/
- - components/
- - images/
- - images/banners/
- - images/stories/
- - language/
- - language/en-GB/
- - language/pdf_fonts/
- - media/
- - modules/
- - plugins/
- - plugins/content/
- - plugins/editors/
- - plugins/editors-xtd/
- - plugins/search/
- - plugins/system/
- - plugins/user/
- - plugins/xmlrpc/
- - tmp/
- - templates/
- - Cache Directory /var/www/vhosts/yoursite/httpdocs/cache/
- - Cache Directory /var/www/vhosts/yoursite/httpdocs/administrator/cache/
- Continue to configure site (if using Fireboard you need to ftp files and change the directory owner as above)
- Finally CHMOD config.php to 444
Actually different servers seem to have different users and groups so if you don't have www-data:www-data then look for apache:apache.
I hope this helps.
Additionally, at the end you suggest installing mod_suphp anyway, which supposedly solves the problems you were trying to solve with all the other changes in the first place.
Am I missing something?
Neil
Gee, wonderful! Another great improvement to my life. Thanks a bunch!
Even better, I also demonstrate the use of the incredibly versatile "find" command to set permissions with surgical precision on files of a specific type, as in this example where we set the permissions for all of the directories in our site with one single command:
find httpdocs -type d -exec chmod g+s {} \;
I'd estimate if you choose to type these commands in by hand, instead of just cutting and pasting them (or running them as a script), it might take you all of three minutes, regardless of the number of files you need to modify. Of course, you may have to get a fresh cup of coffee while your server works away on updating thousands of files at your bidding.
The last time we did an update of this kind of magnitude, it took all of ten minutes for the server to churn through about 10,000 files, while I did something else much more enjoyable with my time.
I hope this kind of automation brings a bit of good cheer to your day.
Even easier, just clone the site to a different domain or sub-domain on your public server, and restrict access while you test different permissions settings. You can use the techniques in this article to update permissions on large numbers of files quickly.
As long as you are applying the principle of "the least amount of access to ensure the system works," you should be all set.
If you are running into specific error messages, post them here and maybe someone has an answer.