Results 1 to 17 of 17
  1. #1
    Join Date
    Mar 2002
    Posts
    238

    Joomla install - best way to solve directory permission issues?

    I installed Joomla today, and it went smoothly except that under Help -> System Info in the Joomla admin panel, all "Directory Permissions" are "Unwritable."

    I've read up on various solutions, such as installing suphp to take care of user permissions. But if I have my own Linux VPS and I am the only user (i.e. noone else has accounts on my VPS), what is the easiest way to fix this issue? Can I just CHMOD those directories to 777 without worrying about causing a security issue? Or is there a similarly easy solution for someone like me with very basic Linux knowledge?

  2. #2
    Join Date
    Mar 2003
    Location
    /root
    Posts
    23,990
    Moved > Technical & Security Issues.

    Specially 4 U
    Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
    Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx

  3. #3
    Join Date
    Mar 2004
    Location
    Chennai India
    Posts
    119
    Check the file ownership, that may be the problem becasue chmod 777 will fix the issue normally.

    HYBO Power
    a new Renewable Energy Source

  4. #4
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    777 is not the best idea, you just want write, as write+execute on the web user is a deadly combo.
    If the web user is the owner of the dir, 644 is a good place to start.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  5. #5
    Join Date
    Mar 2004
    Location
    Chennai India
    Posts
    119
    In that case just change the owner as apache and change the mode as 644

    HYBO Power
    a new Renewable Energy Source

  6. #6
    Join Date
    Mar 2007
    Location
    Phoenix, AZ
    Posts
    132
    You don't need to worry about directory permissions as long as you have correct FTP mode enabled.
    Note: Some components will not work properly under FTP mode so make sure you don't use one of them.
    Cheers,
    Sivanandhan, P. (a.k.a. apsivam)
    My Blog Site

  7. #7
    Hello ,


    I dont agree with 777 permissions its insecure and the best best is to given 775 permissions.This resolves issues in Joomla since it gives permissions for both user and group to write

  8. #8
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Quote Originally Posted by linux-engineer View Post
    Hello ,


    I dont agree with 777 permissions its insecure and the best best is to given 775 permissions.This resolves issues in Joomla since it gives permissions for both user and group to write
    Actually, that would depend on who owns the dir...if owner / group is apache, and it's set 775, then owner / group still have "7" rwx, all other have "5", so it may as well be 777.
    the owner/group need write, no execute, however you slice it, to be somewhat more secure.
    the ftp mode, as apsivam said, works, but that can sometimes be a little above some users heads, the the cavets it can bring.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  9. #9
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Quote Originally Posted by kreativ View Post
    Can I just CHMOD those directories to 777 without worrying about causing a security issue?
    Yes. If you're the only user on the system then you're safer running PHP as the apache user and opening up access to upload directories as needed. That way an attacker has access to write only those directories and read only your web directories. By contrast if you run PHP suexec then any exploit in your application will give the attacker full access to everything in your account. To make things more secure you should also prevent execution of PHP and CGI scripts in the upload directories.
    Or is there a similarly easy solution for someone like me with very basic Linux knowledge?
    Alternatively if it makes you feel better (not having directories with 777 permissions) you can chown them to the apache user (usually "apache" or "nobody", depending on your system) and use standard 755 permissions. As mugo suggests, it amounts to much the same thing.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  10. #10
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    A little file security knowledge needs to show here...if the user is apache, then setting the first bit to 7 is rwx, so you've given away the farm.
    the three number (777) correspond to user/group/all-other positions.
    if the upload dir is as so:

    drwxr-xr-x 2 apache.apache 4096 Apr 23 00:28 uploads
    (user / group both owned by apache)

    if the perms are 7xx or x7x, then you may has well have 777, because apache has rwx on the user and group positions.

    if user.owner is apache.apache, then make it 664
    if is root.apache then 764
    (nobody may be substituted for apache, depends on the user/group set in your httpd.conf)

    It does not matter about multiusers on the system itself, as we are talking about the apache public httpd process user here. What's in /home just doesn't matter.
    What does matter is the user/group coming in through apache processes, and the access given to that user.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  11. #11
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Quote Originally Posted by mugo View Post
    if the user is apache, then setting the first bit to 7 is rwx, so you've given away the farm.
    I'm not sure what point you're trying to make here, but suppose the system is running PHP suexec, and the directory is owned user:user with permissions 755 (probably the most common shared-hosting situation). Then PHP runs as user, user's permission (first bit) is rwx and again you've "given away the farm". But in this situation you've also given away read-write to everything under /home/user (including mail, .htaccess files etc.)

    Giving apache permission to write to a directory is only a problem if it can be exploited by other users on the same system. With no other users this is a non-issue.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  12. #12
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Quote Originally Posted by foobic View Post
    I'm not sure what point you're trying to make here, but suppose the system is running PHP suexec, and the directory is owned user:user with permissions 755 (probably the most common shared-hosting situation). Then PHP runs as user, user's permission (first bit) is rwx and again you've "given away the farm". But in this situation you've also given away read-write to everything under /home/user (including mail, .htaccess files etc.)

    Giving apache permission to write to a directory is only a problem if it can be exploited by other users on the same system. With no other users this is a non-issue.
    He's not running suexec, only "read up on it".
    755 is the "most common", unfortunately. If it's root.root, cool, if httpd user, then oh oh. Not really the best security.

    There are certain dirs under joomla dir that OP needs write by apache, that is all we are really aiming for here.

    Somehow all the "experts" are probably just confusing the poor guy.

    Just to get stright to the point...to finish the Joomla setup so you can upload images, templates, plugins, etc.

    web user and / or group needs write to

    administrator/components/
    components/
    images/
    images/banners/
    images/stories/
    modules/
    tmp/ (this if for uploading templates, plugins, etc)

    Other than this, if you try to upload something, Joomla will give a warning to you as to which dir it can't access, just set the perms the same on that dir at that time, off you go.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  13. #13
    Join Date
    Mar 2002
    Posts
    238
    Thanks for all the feedback.

    Admittedly, I'm still a little confused.

    I'm the sole user on the VPS, so I don't need to protect those Joomla directories from other users on the VPS. I just need to protect them from the outside world.

    I know I can always fall back on the FTP layer (that's how I completed Joomla setup), but would rather not have to worry about some components not working with it.

    So if I'm reading correctly, 777 is a security risk even if I'm the only one with access to the VPS.

    Would uploading the Joomla files as root user (so the directories are root:root instead of user:user) make any difference?

    Or could someone perhaps just give me what command line entries I should use to allow those specific directories to be writable by Joomla while minimizing the impact on security?

    For example, something like the below was one method I came across when Google searching on the matter. Don't know whether it's the best way though...
    Code:
    chgrp apache administrator/components
    chmod g+w administrator/components

  14. #14
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Exactly.
    I was following you on that, and my answers were indeed geared toward the web user, not a system user (as most VPSs are used...)

    Since "root.root" owns theses, you can set them as 776 and not have to mess with the owner.group
    just get in a directory above the one you want to change and do a

    chmod -R 776 ./directoryname

    (notice the . in front of the / - this is important, it means "from here", not base root of your machine)

    this means
    Change mode, recursively, on ./directoryname, giving user root rwx (7), group root rwx (7), all others rw (6) (apache or web user falls under "all others").
    do this for each of the dirs i named in my last post.

    So long as you don't have a public user with w+x (write / execute) you are relatively safe.
    (no upload/write + execute script)

    You can also just do these one at a time, as you need to open access.
    If you are only going to upload templates, just do the /tmp, for instance.
    No need to open up what you are not going to use.

    If you need help, PM me, we'll get some faster comm going
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  15. #15
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Quote Originally Posted by mugo View Post
    chmod -R 776 ./directoryname
    chmod -R has the unfortunate side-effect of changing files as well as directories - not what you want here. The directories need the execute bit set, the files don't, so really the commands to do this should be:
    Code:
    find directoryname -type d -exec chmod 777 {} \;
    find directoryname -type f -exec chmod 666 {} \;
    But in any case (other than suexec) the apache user needs access to certain directories. The easiest option is simply (as user) to set those directories 777. People constantly parrot out "OMG 777 is dangerous" but again all you are doing is exposing those directories to other users on the system. With no other users it's not a problem.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  16. #16
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Quote Originally Posted by foobic View Post
    chmod -R has the unfortunate side-effect of changing files as well as directories - not what you want here. The directories need the execute bit set, the files don't, so really the commands to do this should be:
    Code:
    find directoryname -type d -exec chmod 777 {} \;
    find directoryname -type f -exec chmod 666 {} \;
    But in any case (other than suexec) the apache user needs access to certain directories. The easiest option is simply (as user) to set those directories 777. People constantly parrot out "OMG 777 is dangerous" but again all you are doing is exposing those directories to other users on the system. With no other users it's not a problem.
    IT's a problem if this is an apache writable directory, availble to the world via apache.

    This is joomla specific, and I have this setup exactly this way, these are UPLOAD and receiving directories, if someone would read what this is all about.

    777 IS dangerous if it's a PHP UPLOAD & WEB REACHABLE w/ Apache user! Is there a problem here understanding something?? Is anyone reading the quesions of OP?

    Since ya'll have all the answers, then get him going. With all the "wisdom" everyone is spreading, noone has done anything but flex their "linux security muscles".

    Everyone keeps talking over his head, and not actually helping the poor guy.
    The directions I gave WILL work with Joomla and the specific directories, there are dirs that just recieve files for layout / etc. I am FULLY aware of -R recursive.
    We are not chmoding his entire INSTALL, I did NAME the dirs above to perform this on.

    Lord.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  17. #17
    Join Date
    Dec 2010
    Posts
    42
    thanks Mugo. =) it helped me...

    i am relatively new, strike that, brand new to VPS and all, and considering I use joomla alot, this is an important topic to me.

Similar Threads

  1. servint vps permission issues
    By varunkrish in forum Hosting Security and Technology
    Replies: 1
    Last Post: 02-24-2008, 06:18 PM
  2. what kind of support issues most people get and how do they solve them?
    By DomainNewbie in forum Running a Web Hosting Business
    Replies: 8
    Last Post: 07-01-2007, 05:06 PM
  3. Replies: 0
    Last Post: 08-02-2006, 03:34 PM
  4. Replies: 0
    Last Post: 06-26-2006, 02:59 PM
  5. new RFC to solve all security/DOS issues
    By titoboo in forum Hosting Security and Technology
    Replies: 0
    Last Post: 04-01-2003, 02:18 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •