Texas1EMT
Texas1EMT
majorh at gmail
rackerhacker / +1-830-584-1564
rackerhacker
Joomla and Plesk permissions
Thanks to a highly awesome technician on my team, we’ve discovered the perfect permissions setup for Joomla and Plesk:
Change the umask in ‘/etc/proftpd.conf’ to ‘002′ and add the ‘apache’ user to the ‘psacln’ group. Then, update the directory permissions:
cd /home/httpd/vhosts/[domain.com]
chown -R [username]:psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;
Joomla also complains about some PHP settings, sometimes including not being able to write to ‘/var/lib/php/session’. To fix the issues, make some adjustments to the vhost.conf for the domain:
<Directory /home/httpd/vhosts/[domain]/httpdocs>
php_admin_flag magic_quotes_gpc on
php_admin_flag display_errors on
php_admin_value session.save_path /tmp
</Directory>
If the vhost.conf is brand new, then run:
/usr/local/psa/admin/bin/websrvmng -av
Make sure Apache runs with your new configuration:
# httpd -t (check your work)
# /etc/init.d/httpd reload
Credit for this goes to Bryan T.
This didn’t work for me until I turned off PHP safe mode. Now that PHP Safe Mode is off, these steps are working like a champ! Thanks.
I am using Plesk 8.2.1 and Joomla. When I log into the server using PuTTY I do not see the same directory structure for my domains. I am new to Linux hosting so I may just be missing the whole picture somehow. I would really like to be able to control the permissions in my Joomla! sites and be able to FTP to the Joomla! directories. Any help would be apprecitated.
How is this “perfect”? I do not think so, not at ALL.
I have not tested, but I think the following problem still remains:
1- Joomla/some other web application creates something on the disk
2- Now the file is owned by apache:apache
3- The dumb Joomla-”coder” comes complaining that he/she can not upload something (FTP) since the FTP process is user:psacln and the file/dir owner is apache:apache still
4- Already completely overworked admin needs to chown/chgrp, again, completely the same as before
OK I stand corrected I omitted the chmod g+s!
Well this was finally tested & not working as the new directories (and maybe files) are created with incorrect umask, for example when installing components from Joomla. Directories come as 0755, not 0775 (+sticky bits).
I suggest try to install mod_suphp and configure per domain. In this way the files uploaed via Joomla will get ftpuser:psacln rights and you can work with them. Also not need to be anymore 777 the folders.
See more on
http://www.web-hosting-control-panel-addons.com/description.php/HOW-TO_setup_a_PLESK_Dedicated_Server/6/
Here you can see how to setup mod_suphp to work well on a PLESK server for Joomla, Drupal, or any other similar software. Hope this help.
[...] This is a slightly modified version from the original post found at rackerhacker.com [...]
This is a terrible solution because Apache can write anywhere. With the frequent vulnerabilities found in Joomla, it’s this sort of setup that is commonly exploited to install botnet scripts and phish pages on a site.
The “perfect” solution is to identify what paths Joomla and the components you’re using requires write access to and limit it to just those.
Also, rather than adding the “apache” group to psacln, you should instead add it to “psaserv” and change the group ownership for just those paths that are required. Finally, you’ll need to modify the Apache init script to change it’s umask
Add to /etc/init.d/httpd (or other Apache init script):
umask 002
This will ensure files created by Apache are group writable, which will allow the FTP user to still be able to work on those files.
I am concerned about the Givens comment about security and would appreciate further explanation.
Where you say :
…The “perfect” solution is to identify what paths Joomla and the components you’re using requires write access to and limit it to just those…
What is the “it” referring to? How do you limit it to just those files? How do you determine what paths the Joomla components are using?
Thank you!