Categories

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Web Development

Apache file permissions and ownership – A security issue

Good post? Please, share it...
Pin It

Using shell access to change file permissionsA Joomla developer asked on a forum:
“I have a joomla site which is using linux hosting. when i am going to install a module, it is showing an error “* JFolder::create: Could not create directory* Unable to create destination”.”

Someone had suggested that this developer should change the file permissions temporarily to 777 (read/write for everyone), in order to get over this obstacle.
I told him that “You should not set anything on the site to 777. Absolutely ALL directories should be 755 and files 644 (except a couple of crucial files in the root, which should be 444, for safety).
File and directory permissionsTemporarily setting directories to 777 is a ‘worst case scenario’ solution and should only ever be used in serious emergencies. Permanently doing this is a total no-no!
If the /temp, /administrator/modules and /modules directories are set to 755 and the log file path is correct, then the problem may well be that the owner of the /temp directory and/or the /modules directory is not Apache- the web service which is trying to do the installation, via the Joomla back-end interface.

This can be fixed either in your hosting service control panel or by the hosting service, directly. Call their help-desk if necessary. “
and that “A good read of these pages should make my point clear:
http://www.linuxquestions.org/questions/linux-security-4/apache-security-question-chmod-777-vs-usermod-a-g-802017/ and http://forum.joomla.org/viewtopic.php?f=262&t=535931&start=30
This is a particularly good post: http://forum.joomla.org/viewtopic.php?p=2211228#p2211228

For anyone who has this problem, the permission set 755 means that only the owner can write to the directory. The owner should be apache, on an apache server, so that the web server can write to the directories, when (e.g.) installing an extension.

775 would mean that the group can write also, but the group is usually the same as the owner, so it would not make a difference.

Changing ownership is achieved by the shell command ”chown’, (see: http://linux.about.com/od/commands/l/blcmdl1_chown.htm) but most hosting services don’t allow you shell access and, if the file system was uploaded, say, by FTP, when logged in as some other user (e.g. your FTP account), then apache may not own the files (dependent upon hosting service configuration).

Using an FTP client to change file permissionsThe shell command chown will reset the ownership of the files and directories, but not a lot of hosting services allow shell access, because it requires a lot of security measures on a shared web server. Therefore, you must get them to do it, unless there is a control panel option to reset ownership.

If you do have shell access, chown (user)[:(group)] (filename) is the command to use.

Just to be absolutely clear, 777 means that anyone can write to the directory (or file), which is very dangerous.

BlownIt’s like putting any old wire in an electrical fuse box, instead of fuse wire – it will work but risks a serious fire, next time there is a short-circuit.

Titanic Lifeboat Academy If only there were sufficient lifeboats aboard the Titanic, no-one needed to drown. If only there are sufficient security measures on a website…..

Helping hand for a hacker!File/directory ownership and permissions are just such security measures but are no guarantee of security, by themselves. In fact, there is no absolute guarantee, ever, since hackers can be very imaginative. Just don’t give them a helping hand, whatever you do.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.