• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Plesk and Joomla - Permission question - Security

Z

ZX81Pro

Guest
Hi,

I run several Joomla sites on my Plesk linux server.

The problem is if a client upload a file via Joomla he can't delete it via FTP because the file don't belong to him (PHP -> belong to apache).

I'm looking for a SECURE solution to avoid this permission problem and to avoid security problems.

Non-secure : CHMOD 777 !
suEXEC : not tested...

I found this on http://rackerhacker.com/2007/05/20/joomla-and-plesk-permissions/:

Change the umask in '/etc/proftpd.conf' to 002 and add the 'apache' user to the 'psacln' group. Then, update the directory permissions:

cd /home/httpd/vhosts/[domain.com]
chown -R [username]: psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;

Do you think it's secure ?

With umask the defaut permissions are for directories 775 and for files 664.

How do you work with Joomla and Plesk ?

Thanks a lot.

ZX81Pro
Belgium
 
that would allow the apache user to write to all users httpdocs directories. It would be less secure than to just make a specific directory world writable (ie, in that model, all directories are writable).
 
Instead of chmodding 777, why not make the owner apache:apache for the dirs that need 777?

Essentially the issue is that apache needs full access to the dirs. 777 solves that but makes them world writable/executable. making them apache:apache makes them writable by apache but not the world.

Mind you I can't see a real benefit security-wise of doing this. An attacker will use the apache user in the first instance to take advantage of a vulnerability, so it doesn't really matter in a hosting environment if it is 777 or apache:apache? I think? Maybe? I'm no expert on this subject!

Faris.
 
doable if you're the admin on the box, but for the users their only option would be to do that as themselves. Either way would be safer than adding apache to psacln.
 
suPHP will solve this, but you'll have to set that up yourself. Search the forums for more posts on suPHP.
 
You must log in or register to reply here.

Similar threads

H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
935
Raul A.
R
jhernanper
Issue Unable to install SuiteCRM: Symfony Runtime Exception. Tried everything - desperate
Replies
1
Views
5K
Maarten
M
D
Input How to run Magento 2 on Plesk Obsidian 18 without Docker
Replies
7
Views
6K
grizlyadams
G
nilsringersma_nl
Forwarded to devs RHEL8's default umask for sshd process (0077) causes unexpected behaviour for Plesk users with SSH access
Replies
1
Views
3K
IgorG
IgorG
J
Issue New added domains are with wrong permissions/group (psaserv (1002))
Replies
5
Views
3K
jackoackely
J
Back
Top