Hi,

I run several Joomla sites on my Plesk linux server.

The problem is if a client upload a file via Joomla he can't delete it via FTP because the file don't belong to him (PHP -> belong to apache).

I'm looking for a SECURE solution to avoid this permission problem and to avoid security problems.

Non-secure : CHMOD 777 !
suEXEC : not tested...

I found this on http://rackerhacker.com/2007/05/20/joomla-and-plesk-permissions/:

Change the umask in '/etc/proftpd.conf' to 002 and add the 'apache' user to the 'psacln' group. Then, update the directory permissions:

cd /home/httpd/vhosts/[domain.com]
chown -R [username]: psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;

Do you think it's secure ?

With umask the defaut permissions are for directories 775 and for files 664.

How do you work with Joomla and Plesk ?

Thanks a lot.

ZX81Pro
Belgium

that would allow the apache user to write to all users httpdocs directories. It would be less secure than to just make a specific directory world writable (ie, in that model, all directories are writable).

Instead of chmodding 777, why not make the owner apache:apache for the dirs that need 777?

Essentially the issue is that apache needs full access to the dirs. 777 solves that but makes them world writable/executable. making them apache:apache makes them writable by apache but not the world.

Mind you I can't see a real benefit security-wise of doing this. An attacker will use the apache user in the first instance to take advantage of a vulnerability, so it doesn't really matter in a hosting environment if it is 777 or apache:apache? I think? Maybe? I'm no expert on this subject!

Faris.

doable if you're the admin on the box, but for the users their only option would be to do that as themselves. Either way would be safer than adding apache to psacln.

suPHP will solve this, but you'll have to set that up yourself. Search the forums for more posts on suPHP.