Hi all, I followed the CentOS x64 5.5 perfect server guide but also added the gnome desktop and a few utils. The server works really well and I am thoroughly impressed with CentOS & ISPConfig. I have installed joomla on a site and ran into the permissions obstacle when trying to install/upload any modules/templates etc... (# JFTP::store: Bad response # Warning! Failed to move file.) As ISPConfig 3 handles the creation/setup of websites via link files/folders & uses "clients" to specify individual site security, the setting of permissions hinges on assigning ownership & group rights to the correct objects. For example "root" should be the owner and "client1" should be the group on my server. The default joomla install does not assign group permissions correctly. To fix this here is what I did: N.B. - AFAIK, This process is unique to EACH CLIENT (not website) that ISPConfig creates - a change in client means different group membership... OWNERSHIP: Code: chown -hR -v -f root:[clientX] [joomla install directory]/* (e.g. chown -hR -v -f root:client1 web/*) (you can check the messages log after a failed joomla upload/install to see the owner & group that needs permissions) PERMISSIONS: ( "find ." starts the find from current directory so navigate appropriately) Code: find . -type f -exec chmod 644 {} \; ("f" for files) find . -type d -exec chmod 775 {} \; ("d" for directories) I did try 755 as suggested by an older post, but without write permissions the group to which the "client" belongs is unable to access the necessary files. 775 works fine and I don't think it exposes anything dangerous. Anyway that sorted permissions/requirements for files/folders. Everything works very well and I am extremely thankful for this forum and the many helpful people who contribute.
Minimize security risk? I used apache instead of root, and everything seems to work. Does that seem reasonable in an effort to minimize possible escalations? Just a thought.
You seem to ahve used wrong settings for your site as there are no changes of the website owners etc. nescessary, neither to get joomla working nor for security. The correct settings for a joomla site are: 1) Select security level "High" in ISPConfig under System > server Config on the web tab. 2) In the website settings, enable the suexec checkbox and select "php-fcgi" as php method. This ensures that all scripts are run in a security wrapper under the website user. Do not use mod_php. Also useing user "apache" is a security risk as this allows attacks from other sites on the same server.
I've also found this set of commands useful for existing Joomla sites (migration etc...) N.B.run this from terminal of the directory CONTAINING the "/web" directory - e.g. "/var/www/clients/client1/web18" Also make sure the CLIENT is correct before pasting this script!!! Code: chown -hR -v -f root:client0 web/* cd web find . -type f -exec chmod 644 {} \; find . -type d -exec chmod 775 {} \; find . -type f -name "configuration.php" -exec chmod 664 {} \; find . -type f -name "*.ini" -exec chmod 664 {} \; find . -type f -name "*.css" -exec chmod 664 {} \; find . -type f -name ".htaccess" -exec chmod 755 {} \; Hope that helps
Hello, I don't understand how it works...i have installed a new website (a joomla CMS) I have created a new user on my ispconfig. I use filezilla with my root account, to upload my files on my new website. After the installation, I don't have the correct rights to change my files on the joomal configuration. Can you explain me the steps to do that ? I open my terminal & connect me as SSH user on my website. That's step is ok But after i don't know how to do it... If someone can help a beginner
Quite likely you have already resolved your issue but I'll answer it for anyone else who runs into this. Ill use 2 example sites each with different client owners. Assuming your know how to connect via SSH and you understand a few linux commands you can easily resolve your permissions issue. Ill also bring up some very useful Joomla Components that you might find helpful. (been running Joomla since it was Mambo Server back in 2001) This is also more specific to Ubuntu and other Debian derivatives. Your paths may be different if your running some other linux distro. So once you connect via SSH as a regular user you will need to become root to change file and directory permissions. Most modern distro's use sudo to accomplish this. You should never log in as root directly nor allow SSH root logins. So connect to your server first, lets assume your box's hostname or FQDN is myserver.com and your user account is an actual Linux User Account called username. The dollarsign indicates your a regular user versus being root on the box so the command is ssh your_username@hostname $ssh [email protected] Once you type your password and hit enter you should see a prompt that looks like this. $username@myserver Now become root, using sudo -s. If no other command is specified, an interactive shell is executed. $sudo -s Now type your password again and if your username is listed in the /etc/sudoers file and you type your password correctly your prompt will change from a $ sign to a # sign. This indicates your now running as root. This is way more dangerous than running with scissors so once you are done with your administration steps always exit back out by typing exit and hitting enter. Once you have become root though now you need to go to where you have joomla installed. For this example lets say you have a website that is myfirstsite.com and that is under client 1 and its your first website added to your ISPconfig system and your second site is listed under client2 and its the second website added to your system and its URL is someothersite.com First change to folder for your myfirstsite.com website which should be something like /var/www/clients/client1/web1 Do that by running this: #cd /var/www/clients/client1/web1 once your there run ls -alh to see what your permission are currently and your specifically looking at the folder called web, that is your document root that sits inside of the /var/www/clients/client1/web1 folder... You should see something like this.. #drwx--x--- 20 web1 client1 4.0K Feb 3 18:16 web This is telling you that the web folder is owned by web1 and is in the usergroup client1 and its permissions are 710 Now run #ls -alh web to see what permissions are for everything inside of your web folder # ls -alh web total 160K drwx--x--x 22 web1 client1 4.0K Jul 4 14:51 . drwxr-xr-x 9 root root 4.0K Nov 14 2014 .. drwxr-xr-x 10 web1 client1 4.0K May 7 2014 administrator drwxr-xr-x 2 web1 client1 4.0K May 6 2014 bin drwxr-xr-x 15 web1 client1 12K Jul 17 08:36 cache drwxr-xr-x 2 web1 client1 4.0K May 6 2014 cli drwxr-xr-x 33 web1 client1 4.0K Jul 7 19:40 components -r--r--r-- 1 web1 client1 3.4K Jul 17 07:35 configuration.php drwxr-xr-x 3 web1 client1 4.0K May 6 2014 docs drwxr-xr-x 11 web1 client1 4.0K May 6 2014 dosetup drwxr-xr-x 2 web1 client1 4.0K Nov 14 2014 error -rwxr-xr-- 1 web1 client1 7.2K Nov 14 2014 favicon.ico -rw-r--r-- 1 root root 3.1K Apr 30 2014 .htaccess -rw-r--r-- 1 web1 client1 2.9K Jul 2 16:34 htaccess.txt drwxr-xr-x 15 web1 client1 4.0K Jun 28 09:14 images drwxr-xr-x 2 web1 client1 4.0K May 6 2014 includes -rw-r--r-- 1 web1 client1 1.2K Jul 2 16:34 index.php drwxr-xr-x 4 web1 client1 4.0K May 6 2014 language drwxr-xr-x 5 web1 client1 4.0K Mar 18 21:19 layouts drwxr-xr-x 12 web1 client1 4.0K Jul 4 14:50 libraries -rw-r--r-- 1 web1 client1 18K Jul 2 16:34 LICENSE.txt drwxr-xr-x 2 web1 client1 4.0K May 6 2014 logs drwxr-xr-x 32 web1 client1 4.0K Jun 24 07:36 media drwxr-xr-x 52 web1 client1 4.0K Jun 28 09:14 modules drwxr-xr-x 24 web1 client1 4.0K Jun 26 09:19 plugins -rw-r--r-- 1 web1 client1 4.2K Jul 2 16:34 README.txt -rw-r--r-- 1 web1 client1 865 May 6 2014 robots.txt -rw-r--r-- 1 web1 client1 842 Jul 2 16:34 robots.txt.dist drwxr-xr-x 2 web1 client1 4.0K Jun 28 03:50 stats drwxr-xr-x 6 web1 client1 4.0K May 6 2014 templates drwxr-xr-x 2 web1 client1 4.0K Jul 17 07:35 tmp -rw-r--r-- 1 web1 client1 1.7K Jul 2 16:34 web.config.txt These permissions are correct, however you might notice that the .htaccess file is owned by the user root and group root and its permissions are 644. Most likely depending on how your moving your files up to your website your files will either end up being owned by root (if your using ssh / scp to move them up) or they will be owned by your ftp useraccount name. So you need all files and folders to be owned by web1 and by the group client1. Easy way to do that is by running this command #chown -R web1:client1 /var/www/clients/client1/web1/web/* This will change every file and folder to be in the group client1 with web1 as the owner. Now do the same thing with your second domain name, first cd to that folder. #cd /var/www/clients/client2/web2/web then run the command again for that folder #chown -R web2:client2 /var/www/clients/client2/web2/web/* Now you should be able to at least load up Joomla and install any needed components or your template. If you still can't check the permissions on the folder called tmp in your document root. If they are not set right you won't be able to write files to the tmp directory which is where they end up getting installed from. Your permissions for your first site should be #drwxr-xr-x 2 web1 client1 4.0K Jul 17 07:35 tmp If they are not you may need to change them by running this #chmod 755 /var/www/clients/client1/web1/web/tmp Now rather than searching every file and folder in your Joomla installations and making changes across what might be hundreds of files and folders lets work smarter... Not harder.. Now install the Joomla Component called Admin Tools by Akeeba and while your downloading it you really should also download akeebabackup. Both are free but require you to be registered on their site to download them. You can get both from www.akeebabackup.com Akeeba Backup makes backups of your complete site, all files and folders, images and the database plus drops it into a nice single file with an installer that is similar to the Joomla installer which makes it easy to move your site to a dev server or just use it to make regular backups... ok, its a little more complicated than that but installing it and making backups is point and click simple.. Akeeba Admin Tools has a section specific to file permissions that should help resolve any other permission related issues you may be having. Don't forget to log back out of the root shell by typing exit and hitting enter. Hope this helps someone. Tnt
Thx a lot for your precious help !! Now, when i want to install a new project on ispconfig, i need to create a FTP access user and install my website with this account (not with the root account like i did it). It works, no problems with permissions.
