correct file system permissions for joomla installation on linux

Question

My question is pretty general. Lets assume I have a linux distribution web server, with the /var/www/ is the web directory. I used my superuser account to upload and unzip the Joomla installation .zip folder.

The linux system user for web users is called www-data. Anyway, my question is who should be the ONWER of the files in the linux system? Right now, because I used my superuser account to unzip the files, all the folders and files are owned by the super user, and therefore come up in the joomla admin system as being unwritable. I am just a little hesitant to set the www-data user as the owner of the files. Is this OK?

Just for reference, in linux i would change the owner of the folders and files with chown and change the group with chgrp.

Thanks!

score 5 · Answer 1 · answered Jan 07 '15 at 12:30

This is very dangerous to have all Joomla! files and directories writable for webserver. If any bug in Joomla! or in some extension, the attacker will be able to remove/change/delete any file through the random exploit (utilizing the bug in PHP code). Instead of this, all files should be only readable by web server (ie: owner should be root or the normal user you have) and all permission sould be 755 for directories and 644 for files. Only the cache directory should by writable by www server (if you use caching). So something like this should be performed for whole Joomla directory (for Ubuntu & spol.):

cd /var/www/whatever-your-joomla-root-dir-is find . -type f -exec chmod 644 {} \; find . -type d -exec chmod 755 {} \; chown -R www-data .

See more about unix rights in http://forum.joomla.org/viewtopic.php?t=121470

You may need to change directories with extensions or templates the same way as cache directory only for the time you installing/removing one of them and then change ownership back.

For Fedora, CentOS, RHEL, Scientific Linux etc. command should be: chown -R apache .

Instead of changing ownership (this could be done as root only) you may just enable write permission for others by this command (and later revert back by passing o-w to the same command):

chmod -R o+w cache

Wow thank you very much, this seems much safer. Sometimes we upload files and save them to the server, but I guess this upload directory should be the only one with write permissions. — jeffery_the_wind, Jan 14 '15 at 15:15

score 3 · Accepted Answer · answered May 21 '14 at 13:38

3

Is ok. Use www-data as owner and group:

cd /var
chown www-data:www-data www

No need to use chgrp.

answered May 21 '14 at 13:38

Sacx

2,541
15
13

i just kept my configuration.php file as owned by the superuser. – jeffery_the_wind May 21 '14 at 14:32

correct file system permissions for joomla installation on linux

2 Answers2