| Joomla and Unix file permissions - Explanation |
 |
 |
 |
| Joomla Tips - Miscellaneous Joomla Tips |
Joomla and Unix file permissions - ExplanationUnix/Linux permissions can be a confusing thing. I have seen a large number of posts asking about permisisons, so I hope that this The standard, default permissions that get assigned to files and directories by the server are normally; Files = 644 and Directories = 755 These permissions would allow, for files; 644 = rw- r-- r-- = Owner has Read and Write Group has Read only Other has Read only and for directories; 755 = rwx r-x r-x = Owner has Read, Write and Execute Group has Read and Execute only Other has Read and Execute only Now, things can get a little complicated when we start talking about shared Web Servers, the Web Server software will be running with its own username and groupname, most servers are configured for them to use either "apache" and "apache" or "nobody" and "nobody" as username and groupname. So hear is the problem, your Web Server runs as its own user, and this user is not you or in your group, so the first two sets of permissions do not apply to it. Only the world (other) permissions apply. Therefore, if you configure a permissions set similar to 640 on your website files, your Web Server will not be able to run your website files. 640 = rw- r-- --- = Owner has Read and Write Group has Read only Other has no rights The WebServer is assigned no permissions at all and cannot Execute, Write or more importantly, even Read the file to delivery its content to a website visitors browser. If a directory was to be assigned 750 permissions, this would have the same effect, because the WebServer does not even have permissions to read files in the directory, even if the files inside that directory had favorable permissions. 750 = rw- r-x --- = Owner has Read and Write Group has Read and Execute Other has no rights Directories have an extra quirk, if a directory does not have the Execute permission set in the World set then even if Read and Write are set, if the program is not run as the user or group, it will still not be able to access the files within the directory. The Execute setting allows the program to "Execute" commands in the directory, so without it being on the program(in our case a Web Server) cannot execute the "Read" command, thus cannot deliver your file to the users web browser. How Does this Relate to Joomla! ? Good question, well in the first instance this would be important during the Web-Installer process. If you can remember back to when you ran the Joomla! Web-Installer, we were looking for specific directories to be designated as "Writable". We see quite a numbers of posts either stating that there were problems during the install with permissions or asking what permissions are recommended. Some even consider the message, asking for "Writable" permissions to be too vague. Unfortunately, as the Web-Installer does not know how your server is configured, then it cannot be more specific, however, once you understand the permissions settings and you know a ittle about Web Serving environments, you will actually find that the term "Writable" is actually very specific and a more than adaquate description of what Joomla! needs. Thinking back to the above information, you may remember that there are three places where "Write" permissions maybe set; Owner Writable, Group Writable and Other Writable. Also remembering that the Web Server generally doesn't run as your own user or in the same group. When you run the Web Installer from a browser, it is the Web Server trying to access the files, thus it is the "Other" permissions that will apply to it. If the "Other" permissions do not allow the Web Server to Read, Write or Execute commands in the Joomla! directories, you will receive the message saying that the directories are not "Writable". In this case, you will need to configure the Other permissions to be "7" on the directories listed in the Web Installer. So your total permissions might be something like 757, in the worse case you might need to set 777. These very open permissions maybe reset back to 755 after the installer runs to assist in the security of your directories and files. 757 = rwx r-x rwx = Owner has Read, Write and Execute Group has Read and Execute Other has Read, Write and Execute Just to make things even more confusing, many hosting firms make use of a software called phpsuExec or suExec, these tools change the way the Web Server runs, where the Web Server would not normally run as your username, in this case, it does. So the use of the "Other" permissions, may not be required, now you may only need to configure directories to be "Writable" to your own username and groupname, this allows directory permissions to be set as 755 or 775 instead of 757 or 777. 755 = rwx r-x r-x = Owner has Read, Write and Execute Group has Read and Execute Other has Read and Execute 775 = rwx rwx r-x = Owner has Read, Write and Execute Group has Read, Write and Execute Other has Read and Execute The Web Server will still need to Execute set for the username and Read, Execute groupname permissions set so that it can Execute the Read command on files inside the directory. Again, these permissions may be demoted back to 755 after the Web Installer completes. OK, so thats the basics for directories covered, what about files? This is where things get a little simpler. Most of the files that Joomla! makes use of will be quite happy with the 644 default permissions. 644 = rw- r-- r-- = Owner has Read, Write Group has Read Other has Read This is valid if you do not have a need to Write to the files from the Web Server, the same rules apply as for directories if you do have this need. One file that you may like to have "Writable" to the Web Server is your configuration.php file. This is the Joomla! configuration file, if you plan on changing configuration through the Web Admin interface, then this file will need to be Writable to the Web Server. If your server needed directory permissions to be set to "Other" Writable for the install then this file will probably also need to be 757 or 777. Leaving this file as 757 or 777 is dangerous though, as you are letting everyone have "Write" access, many Web Site exploits take advantage of this fact, so in general it is not recommended to leave this file with these permissions. If your Web Server has one of the SU tools installed and you only needed to configure 755 on directories for the installation, then you will probably also only need to set 755 or 775 on this file to allow editing through the Admin interface, and these permissions are generally accepted as more secure than 757 or 777. In conclusion, what permissions should be set for the Joomla! installation? Well, as you can see, it depends! I know this isn't maybe as helpful as you would have liked and it certainly is not a definitive answer, but in general, after the installation any insecure "7" settings can be reset back to something more secure. for Example: Files = 644 and Directories = 755 These permissions would allow, for files; 644 = rw- r-- r-- = Owner has Read and Write Group has Read only Other has Read only and for directories; 755 = rwx r-x r-x = Owner has Read, Write and Execute Group has Read and Execute only Other has Read and Execute only Footnotes: If you have SSH, Shell access the following commands should be able to be run from the command line to reset all your files and directories back to the server defaults of 755 and 644. Change directory in to the top directory (" / ") of your Joomla! installation, then run these; find . -type f -exec chmod 644 {} \; find . -type d -exec chmod 755 {} \; If you only have FTP access, this can be a very time consuming job, however, unless you changed more directories during the installation that was requested, you should only need to reset about 10 directories and the configuration.php file. Keep in mind that to install any extensions or templates after the actual Joomla! installation you may need to elevate the default permissions again on the appropriate directories just for the installation period, you may then demote them again after the add-on is installed. If you decide to use "cache" the cache directory will need to be "Writable" to the Web-Server user to allow it to write its temporary files. Once you have completed the installation, next thing to do is read Ron Liskey's "Joomla! Admins Security Checklist". I am sure you will find much of the security information that you will need in this post and the Security Forum. Joomla! Admins Security Checklist
This article the work of RussW who has given permission for it's use here. |