Skip to main content

Joomla 1.5 Directory Status: Writeable

[UPDATED] Joomla 1.5 is acting flaky on one of our installations because the directories are set to ‘unwriteable’. To see the their current state, log in as Super Administrator and go to Help > System Info > Directory Permissions. Elsewhere, it's been suggested that the specified directories must be set to “world-writeable” (777). This works, but it is a very bad idea, since it means anyone can change your files! Not cool. Fixing Security with User and Group Settings To perform these changes, you need shell (command line) access to your server. If you don't have it, you can beg your host to make these changes for you, or switch to a Joomla-friendly host. I'm going to assume that you are using a LAMP (Linux/Apache/MySQL/PHP) server because if you're not, then ... well, these instructions should work in principle, but the specifics for your server may be quite different.
Here's the issue: you, the FTP user, need full access to your files. So does Joomla, which accesses your files through the web server. Now, most web server configurations don't assign the web server to the group that's automatically assigned to your FTP files. If the web server isn't in the group that has write access to your files, then you have to give everyone write access to your files -- that's not good.
So, we are going to add the web server to the group that is automatically assigned to files that you, as an FTP user, create or modify. These instructions refer to a web server running Plesk, because that's what we use, so the specifics of your LAMP server may be different -- mostly the path names will be different, although this is true between different versions of Plesk, too. So, check your paths and make sure you understand what you are doing.
Here's how to do it:
  • Set up the FTP server so the default file permissions are 640, using the umask setting
  • Add the web server, apache, to the default group assigned to your files
  • Change the permissions of the existing files.
On our servers, we change the umask in ‘/etc/proftpd.conf’ to ‘137′ in order to set the default file permissions for files created in FTP to 640. For details, you can Google umask.
Logged in as root, enter this command to edit the FTP server configuration file:
nano /etc/proftpd.conf Make the required change and then save the file. Hint: make a backup first!
Add the Web Server to the Default FTP Group
This is really the critcial step, which allows Joomla access to your files via the permissions that are granted to the web server (in this case, Apache). To proceed, you need to know:
  • Which user account is assigned to the web server?
  • Which group account does Plesk use to manage your site?
To determine the user account for the web server, enter this command at the bash prompt:
ps aux | grep httpd
To determine the default group Plesk assigns to files, log in via ssh or FTP to view your Joomla files and check the group name (I use "ls -lha" at the command line). On our Plesk servers, the web server is "apache" and the default group for web directories is "psacln". So, we need to add the apache user to the psacln group. Once again, logged in as root, back up /etc/group and then enter this command:
usermod -G psacln apache
You should also use the same command to add the psaftp and psaadm users to the psacln group. You can also edit the /etc/group file directly to the same effect. Change the permissions of the existing files Now, we just need to ensure that all of the existing files are set up correctly. Here's how we do it:
cd /var/www/vhosts/[domain.com] chown -R [username]:psacln httpdocs chmod 770 httpdocs find httpdocs -type d -exec chmod 770 {} \; find httpdocs -type d -exec chmod g+s {} \; find httpdocs -type f -exec chmod 640 {} \;
The find command is extra sweet: it finds all the directories or files in the "httpdocs" directory, and then runs the required "chmod" command on each one. The chmod command "g+s" sets the "set groupid" for all the directories so that, for FTP uploads,:
all new files will be owned by the group of the parent directory instead of the current shell.
When you are done updating the permissions, you should probably restart Apache to ensure it re-reads the updated file permissions. From the command line:
apachectl -k graceful
Testing You can see if your permissions are set correctly using several tests:
  • On the UNIX command line, via ssh: cd to the directory that contains your Joomla installation, and then enter: ls -lha to check the current permissions for all of the files. If you've followed the steps above, the file permissions should appear like this: -rwxrwx---
  • Use your favorite FTP program to log onto the site, and then check file permissions. Both the user and the group should have full permissions, and everyone should have no permissions.
  • Log into the Joomla 1.5 administrator interface, and select Help > System Info > Directory Permissions -- everything should appear as "writeable."
Joomla Component Installations and File Uploads Sadly, all of the work above still does not lead to a fully workable Joomla installation! In addition, I had to install the PHP mod_suphp module on the server. As root:
yum install mod_suphp
I then configured this module according to the suggestions in HOW-TO Setup a PLESK Dedicated Server.

Note that turning Safe Mode on or off does not have any effect on Joomla 1.5 security, unlike version 1.0, where the file permission issue was fixed by turning Safe Mode off. Now, in Joomla 1.5, file access is controlled entirely by FTP and file permission settings on the web server.

See Also

Comments

Unknown said…
Thank you for these great and clear instructions. Although, I still do not find a service provider kin on doing these changes for me as a regular client.

Do you have a recommendation for a hosting service that is correctly configured for Joomla 1.5?
Neil said…
It's difficult to find a good Joomla host. That's why my company hosts all of our Joomla sites! We also work with other hosting providers to handle different types of hosting outside of our area of expertise. Without knowing more about your hosting requirements, I'm reluctant to make a recommendation for hosting. So, you can go to the Cadent web site and use the Contact Us form to follow up if you want to discuss this further with me.
Anonymous said…
Wow, I would be reluctant to CHMOD the site to 0777!

Now have a working install which I am testing. On the domain www.sl4me everything seems to work. Although obviously I still need to configure a few things and complete tests.

I run Virtuozzo & Plesk on a VPS, I do not have SSH access!

For others this is how I did it:

- FTP Joomla up onto the server
- Setup Joomla, but not the FTP Layer (this doesn't work)
- When you get to the end copy the code for configuration.php
- FTP in and create a file called configuration.php and paste the clipboard into it
- CHMOD config.php to 777 for now
- Log in to Virtuosso
- Use File Manager to go to the site
- Change the owner of the following directories to www-data and the group to www-data:
- - administrator/backups/
- - administrator/components/
- - administrator/language/
- - administrator/language/en-GB/
- - administrator/modules/
- - administrator/templates/
- - components/
- - images/
- - images/banners/
- - images/stories/
- - language/
- - language/en-GB/
- - language/pdf_fonts/
- - media/
- - modules/
- - plugins/
- - plugins/content/
- - plugins/editors/
- - plugins/editors-xtd/
- - plugins/search/
- - plugins/system/
- - plugins/user/
- - plugins/xmlrpc/
- - tmp/
- - templates/
- - Cache Directory /var/www/vhosts/yoursite/httpdocs/cache/
- - Cache Directory /var/www/vhosts/yoursite/httpdocs/administrator/cache/
- Continue to configure site (if using Fireboard you need to ftp files and change the directory owner as above)
- Finally CHMOD config.php to 444

Actually different servers seem to have different users and groups so if you don't have www-data:www-data then look for apache:apache.

I hope this helps.
Neil said…
Thanks for the post above, but I'd suggest that you read the original post (above) where I don't recommend that you use 0777 permissions!
Krick said…
I don't see why you suggest we set the umask to 007. The default 022 seems like a more sensible and safer choice.

Additionally, at the end you suggest installing mod_suphp anyway, which supposedly solves the problems you were trying to solve with all the other changes in the first place.

Am I missing something?
Neil said…
Krik & others have noted some confusing aspects to this post. Since I first posted, my company has refined our techniques for controlling permissions. I'm working on an update to this article, so please subscribe to my feed if you want to receive a notice when the updated version comes out.
Anonymous said…
Where can you find someone to hire to do this for you. I have a large network site of all Joomla and need my permission on my dedicated server to work properly. I don't trust myself to resolve this and honestly I thought my hosting service was going to help me with this but turns out they are not. So now I have no experience or knowledge in how to do this. I'll happily pay someone, just don't know where to find them...
Neil said…
If you'd like my company to help you with this, please use the Cadent Contact Us form to let us know the details of your project.

Neil
Neil said…
Please note that I've made several updates to this post to reflect even tighter security settings. Specifically, we've found that setting file permissions to 640 (instead of 770) works just fine and offers even better security.
Anonymous said…
Here's a nice one. I have to manually chmod all files? Sure guys, it would only take about uhm... well, FOUR HOURS.

Gee, wonderful! Another great improvement to my life. Thanks a bunch!
Neil said…
Instead of chmodding all of the files manually and individually (which does sound like a sure way to develop some serious carpal tunnel syndrome, if you don't go insane with boredom first) I'd suggest that your read my original post at the top of this page, where I describe how to use the -R option to modify ownership of all the files in your site recursively with one command.

Even better, I also demonstrate the use of the incredibly versatile "find" command to set permissions with surgical precision on files of a specific type, as in this example where we set the permissions for all of the directories in our site with one single command:

find httpdocs -type d -exec chmod g+s {} \;

I'd estimate if you choose to type these commands in by hand, instead of just cutting and pasting them (or running them as a script), it might take you all of three minutes, regardless of the number of files you need to modify. Of course, you may have to get a fresh cup of coffee while your server works away on updating thousands of files at your bidding.

The last time we did an update of this kind of magnitude, it took all of ten minutes for the server to churn through about 10,000 files, while I did something else much more enjoyable with my time.

I hope this kind of automation brings a bit of good cheer to your day.
David said…
I am running a number of Joomla 2.5 sites. I realize this page is a little old, but wanted to see if you knew whether or not there were still permission issues not allowing directories to be writeable. My site is http://joomlahosting.co
Neil said…
@David: we've operated a number of Joomla 2.5 sites, and we haven't encountered the same types of permissions issues. Also, these 1.5 issues only appear on some hosting configurations. We suggest testing your configuration "offline" on a clone of the public server, which is pretty easy to do if you are working with a LAMP server stack.

Even easier, just clone the site to a different domain or sub-domain on your public server, and restrict access while you test different permissions settings. You can use the techniques in this article to update permissions on large numbers of files quickly.

As long as you are applying the principle of "the least amount of access to ensure the system works," you should be all set.

If you are running into specific error messages, post them here and maybe someone has an answer.

Popular posts from this blog

Essential Firefox Add-Ons For the Cloud

If you don't want to be tied down to a desktop, you need direct access to your computer in the cloud. Since Firefox runs just about everywhere, it's a good place to start to set up a reliable way to access your accounts. Blog & Social  Delicious Bookmarks is the recommended and official Firefox add-on for Delicious, the world's leading social bookmarking service (formerly del.icio.us). It integrates your bookmarks and tags with Firefox and keeps them in sync for easy, convenient access. Syncing slows down startup, though. ScribeFire Blog Editor is a blog editor that integrates with your browser and lets you easily post to your blog. They've also integrated their affiliate Quick Ads advertising program, which I haven't tried.

Virus scan Windows using a Linux live CD

[There's been quite a bit of interest in this post and I've expanded on it quite a bit. Please post any comments or questions to help me improve this guide. - Neil] Keith and I have both run into situations where we want to recover a Windows computer by cleaning it up with a Linux Live (bootable) CD distro. This offers several advantages to cleaning up an infected or compromised computer by booting into Windows: It prevents the malware, if it exists, from jumping from the infected computer or partition we are trying to fix to the repair partition or boot medium. If we boot from a CD, there's actually no way to alter the boot medium, since it's read-only. Naturally, we started with Knoppix -- download it here . Installing and scanning with F-Prot is covered in this Knoppix.net discussion thread, Virus Scan from LiveCD , which describes how to install F-Prot from the command line using apt-get. Also, In Knoppix 5.1, you can boot from the Knoppix CD and install F-P