• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Plesk and Joomla - Permission question - Security

Z

ZX81Pro

Guest
Hi,

I run several Joomla sites on my Plesk linux server.

The problem is if a client upload a file via Joomla he can't delete it via FTP because the file don't belong to him (PHP -> belong to apache).

I'm looking for a SECURE solution to avoid this permission problem and to avoid security problems.

Non-secure : CHMOD 777 !
suEXEC : not tested...

I found this on http://rackerhacker.com/2007/05/20/joomla-and-plesk-permissions/:

Change the umask in '/etc/proftpd.conf' to 002 and add the 'apache' user to the 'psacln' group. Then, update the directory permissions:

cd /home/httpd/vhosts/[domain.com]
chown -R [username]: psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;

Do you think it's secure ?

With umask the defaut permissions are for directories 775 and for files 664.

How do you work with Joomla and Plesk ?

Thanks a lot.

ZX81Pro
Belgium
 
that would allow the apache user to write to all users httpdocs directories. It would be less secure than to just make a specific directory world writable (ie, in that model, all directories are writable).
 
Instead of chmodding 777, why not make the owner apache:apache for the dirs that need 777?

Essentially the issue is that apache needs full access to the dirs. 777 solves that but makes them world writable/executable. making them apache:apache makes them writable by apache but not the world.

Mind you I can't see a real benefit security-wise of doing this. An attacker will use the apache user in the first instance to take advantage of a vulnerability, so it doesn't really matter in a hosting environment if it is 777 or apache:apache? I think? Maybe? I'm no expert on this subject!

Faris.
 
doable if you're the admin on the box, but for the users their only option would be to do that as themselves. Either way would be safer than adding apache to psacln.
 
suPHP will solve this, but you'll have to set that up yourself. Search the forums for more posts on suPHP.
 
You must log in or register to reply here.

Similar threads

J
Issue New added domains are with wrong permissions/group (psaserv (1002))
Replies
5
Views
2K
jackoackely
J
A
Resolved can't access to plesk dashboard since permissions changed
Replies
8
Views
2K
Alexdb
A
E
Question Plesk Permission
Replies
4
Views
1K
ezra50
E
J
Question Bad permissions on scheduled backup
Replies
0
Views
538
José María Antón
J
F
Resolved FTP erro not listing directory
Replies
10
Views
24K
fferraro87
F
Back
Top