1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk and Joomla - Permission question - Security

Discussion in 'Plesk for Linux - 8.x and Older' started by ZX81Pro, Jun 9, 2007.

  1. ZX81Pro

    ZX81Pro Guest

    0
     
    Hi,

    I run several Joomla sites on my Plesk linux server.

    The problem is if a client upload a file via Joomla he can't delete it via FTP because the file don't belong to him (PHP -> belong to apache).

    I'm looking for a SECURE solution to avoid this permission problem and to avoid security problems.

    Non-secure : CHMOD 777 !
    suEXEC : not tested...

    I found this on http://rackerhacker.com/2007/05/20/joomla-and-plesk-permissions/:

    Change the umask in '/etc/proftpd.conf' to 002 and add the 'apache' user to the 'psacln' group. Then, update the directory permissions:

    cd /home/httpd/vhosts/[domain.com]
    chown -R [username]: psacln httpdocs
    chmod -R g+w httpdocs
    find httpdocs -type d -exec chmod g+s {} \;

    Do you think it's secure ?

    With umask the defaut permissions are for directories 775 and for files 664.

    How do you work with Joomla and Plesk ?

    Thanks a lot.

    ZX81Pro
    Belgium
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    that would allow the apache user to write to all users httpdocs directories. It would be less secure than to just make a specific directory world writable (ie, in that model, all directories are writable).
     
  3. faris

    faris Guest

    0
     
    Instead of chmodding 777, why not make the owner apache:apache for the dirs that need 777?

    Essentially the issue is that apache needs full access to the dirs. 777 solves that but makes them world writable/executable. making them apache:apache makes them writable by apache but not the world.

    Mind you I can't see a real benefit security-wise of doing this. An attacker will use the apache user in the first instance to take advantage of a vulnerability, so it doesn't really matter in a hosting environment if it is 777 or apache:apache? I think? Maybe? I'm no expert on this subject!

    Faris.
     
  4. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    doable if you're the admin on the box, but for the users their only option would be to do that as themselves. Either way would be safer than adding apache to psacln.
     
  5. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    suPHP will solve this, but you'll have to set that up yourself. Search the forums for more posts on suPHP.
     
Loading...