Perfect Permissions for Joomla and Plesk
Note: This solution is obsolete and only for Joomla 1.0.x. Please upgrade to the latest version of Joomla.
This post is a continuation (actually a better solution) from my previous post on Joomla Session Save Path
The solution is a slightly modified version from the original post found at rackerhacker.com
Change the umask in ‘/etc/proftpd.conf’ from ’022′ to ’002′.
Then, update the directory permissions by running the following at the command line:
cd /var/www/vhosts/[domain.com]
chown -R [username]:psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;
Add the ‘apache’ user to the ‘psacln’ group by editing ‘/etc/group’.
Change
psacln:x:2524:
to
psacln:x:2524:apache
For my server I also had to add psaftp,psaadm:
psacln:x:2524:apache,psaftp,psaadm
Joomla also complains about some PHP settings, sometimes including not being able to write to ‘/var/lib/php/session’. To fix the issues, make some adjustments to the ‘/var/www/vhosts/[domain]/conf/vhost.conf’ for the domain (you may have to create this file):
php_admin_flag magic_quotes_gpc on php_admin_flag display_errors on php_admin_value session.save_path /tmp
If the vhost.conf is brand new, then run:
/usr/local/psa/admin/bin/websrvmng -av
Make sure Apache runs with your new configuration:
# httpd -t (check your work) # /etc/init.d/httpd reload (service httpd restart on my server)
Done! No more errors on the install screen and no more apache/ftpuser issues with uploading files.
For me the second part of this worked like a charm, but the first part caused me to loose ftp access on all domains on the server. yich. Probably an easy fix, but it is eluding me at the moment so I will move on to the other possible solution… My next post on this subject will be how mod_suphp works out.
UPDATE: Ftp issue resolved – it was a syntax issue with my proftpd.conf file. Running smoothly now.
OK this looks good but:
- Developer installs module at Joomla
- Now the permissions are not 664 anymore but 644 as Apache creates the file with umask 644
- Developer changes something on the module and wants to upload using ftp
-> as the file owner is apache and group is psacln, the developer cannot overwrite the file as only the owner has write permission (644).
I think Apache should need to be changed to umask the files so that group has write permission (664).
Any thoughts?
I have a problem with uploading to the server through FTP too.
My friend has shell access to the server but we can’t figure out how to fix it, I can’t even change permissions through ftp, I get a 500 error, whatever it means…
Any thoughts on that? ;-)
Ok, so maybe not ‘perfect’ solution for everybody :). You may run into difficulties depending on your existing server configuration.
Personally, I don’t have this implemented on all my Joomla installations. In the places I don’t I opted to set ownership of apache.apache with default permissions (755,644) for Joomla writable directories and use WinSCP for file transfers when needed instead of ftp (or temporarily change ownership to use ftp).
We’re still working on our server, god it’s so hard to configure a server to be Joomla Friendly, why is it so complicated?
Do you not get any errors when installing custom modules/components? Do you have to change the rights then?
Did you write your post on mod_suphp?
We have it installed, but we’re running Ubuntu and the only tutorial on mod_suphp I found was for RedHat (I think), it just wouldn’t make sense with our installation.
If set up correctly you should experience no errors when installing.
I haven’t had a chance to test mod_suphp as of yet. Other projects have come up and it has been pushed to the back burner for now. I’ll update here when I know more.
I’m having some trouble getting this to work. I’m getting “Error 403 – Access forbidden! You don’t have permission to access the requested directory. There is either no index document or the directory is read-protected.”
When I run the command ‘chown -R [username]:psacln httpdocs’ what [username] do I use? The username of the ftp user I created from Plesk for the domain?
Also, do I upload the joomla files before or after I make these changes?
FYI I’m using Plesk 8.6.0 on Ubuntu 6.06 and Joomla 1.5.7.
This got a lot easier with the new Plesk 9. I made a small guide for it on my blog.
This is a terrible solution because Apache can write anywhere. With the frequent vulnerabilities found in Joomla, it’s this sort of setup that is commonly exploited to install botnet scripts and phish pages on a site.
The “perfect” solution is to identify what paths Joomla and the components you’re using requires write access to and limit it to just those.
Also, rather than adding the “apache” group to psacln, you should instead add it to “psaserv” and change the group ownership for just those paths that are required. Finally, you’ll need to modify the Apache init script to change it’s umask
Add to /etc/init.d/httpd (or other Apache init script):
umask 002
This will ensure files created by Apache are group writable, which will allow the FTP user to still be able to work on those files.
Hi,
I followed the first step (Umask in proftpd.conf) but as Daniel J. Givens commented at the RackerHacker website : http://rackerhacker.com/2007/05/20/joomla-and-plesk-permissions/
I prefered changed the group to psaserv in the Joomla website.
I’m not an expert in Debian server system but it works and it seems more secure, isn’t it?
With the advent of Joomla 1.5 this is no longer necessary. The best advice I have for everyone is to upgrade to the latest version of Joomla and use the FTP layer.
@Laurie
First thing I would do is either retrace my steps and/or restore from backup. At that point you can try again. If you are using Joomla 1.5 you probably don’t even have to take the steps in this post.
@Laurie
You might want to go with a host that will help manage your server. Its great that they helped you this time, but they might not next time. I guarantee you will have more issues in the future and if this is a mission critical site its good to know you have backup support at your disposal. In the mean time, you can try the forums at joomla.org, they are a great resource and are a more targeted solution for this sort of thing.
I’m desperate to get my Joomla installations running again. When we moved from a shared to a dedicated server, we got loads of permission errors.
I did the steps as outlined above including creating a vhost.conf file. It’s been 15 years since I used UNIX and I don’t know Linux. But vi was still stuck in my head (h,j,k,l) so I managed UGH
Then I tried to install a component. It looked like it installed ok, but then generated a Forbidden page. I am now LOCKED OUT of my Joomla Admin Panel. The site also has the same 403 error. So I am now completely screwed!!!
How do I undo what I have done, or fix what I have done? I’m desperate to get this site back up and running. Please HELP!!!
In a panic I called the host support, we have an unmanaged server but they helped anyway. He said that once I edited the /etc/group file, I should have changed everything to psa (I’m still not sure what he meant). Whatever he did, the site is back up and I have access to the admin panel. I tried to install a component again and receive this error:
Warning: file_put_contents() [function.file-put-contents]: SAFE MODE Restriction in effect. The script whose uid is 10002 is not allowed to access /var/www/vhosts/innercirclelight.com/httpdocs/tmp/install_4a8f4aac32f27 owned by uid 48 in /var/www/vhosts/innercirclelight.com/httpdocs/libraries/joomla/filesystem/file.php on line 298
Warning: file_put_contents(/var/www/vhosts/innercirclelight.com/httpdocs/tmp/install_4a8f4aac32f27/jpfchat.xml) [function.file-put-contents]: failed to open stream: No such file or directory in /var/www/vhosts/innercirclelight.com/httpdocs/libraries/joomla/filesystem/file.php on line 298
Can someone please help?
Hi Dustin,
I’m using the latest 1.5.14 just downloaded today.
I think that you have a error sintax in:
find httpdocs -type d -exec chmod g+s {} ;
the correct form:
find httpdocs -type d -exec chmod g+s {} \;
This fixed these problems for me first time…
http://njlinux.blogspot.com/2008/03/configuring-joomla-on-plesk-box.html
I want the world to know that this works for wordpress also and is saving me loads of headaches. i will document my wordpress-based process on my blog soon.
you seem to have a syntax error – the correct version is:
find httpdocs -type d -exec chmod g+s {} \;
Thank you – syntax updated
[...] Una soluzione migliore per questo tipo di problema lo trovata sul web a questo indirizzo: http://www.klovera.com/perfect-permissions-for-joomla-and-plesk/ [...]