Correct access rights for site, specially TYPO3

Discussion in 'General' started by muekno, Mar 6, 2014.

  1. muekno

    muekno Member HowtoForge Supporter

    I move an existing TYPO3 site to an ISPconfig3 server. (OS openSuSE 12.3)
    I copied the structure to the ../clientx/webx/web/ directory as root
    I changed owner of the structure to webx.clientx on teh original server owner was wwwrun:www

    Now TYPO3 cannot write i.e. localconf.php cache files are createfd with rights to wwwrun.www

    changing rights to www.wwwrun things seams to work fine, what about quotas and so on in that case.

    On the other site I had the TYPO3 files above the website directories, so I could access different TYPO3 versions for different websites via symlinks. So it was easy to change websites from one TYPO3 version to another and needing space for TYPO3 code only once. Looking for hints too

    Thanks for clearing
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please check the website settings, you seem to use a wrong php mode or suexec is disabled. For cms systems like typo3, use the follwong settings:

    php mode: php-fcgi or php-fpm
    suexec: on

    ensure that all files and folders in ../clientx/webx/web/ are owned by the web user and client group.
  3. alpha_de

    alpha_de New Member

    I tried that with Debian. Several domains are using typo3, so typo3 is provided via symlink.

    Despite suexec, the setup only runs, if the typo3 working directories use the apache user.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    @alpha_de: Your setup is fine for intranet sites or servers that do not host more then one customer and do not run sites were security matters. For internet sites and servers that host ore then one customer, it is highly recommended to enable suexec, otherwise a hacker that gains access to one of your sites is able to take over all other sites as well as they share the same user. ISPConfig separates sites by running them under different users, you just disabled this security option.
  5. alpha_de

    alpha_de New Member

    Till, suexec is enabled for that domain. Nevertheless, I cannot log into the backend when I assign all directories to the site specific user and using the apache user for the directories, all temporary files are created using the apache user's credentials.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    All typo3 files and directories have to be owned by the website user and group, you can not run a save enviroment with user separation when you use a shared typo3 root. Instead of sharing the root, better write a small shell script that dsitributes changes to the webistes under the correct user from a central typ3 directory or from a central git or svn repository. Most larger sites and also a lot of larger web agencis use the approach with a git/svn based checkout as its a safe way to have staging and live sites and also provide updates to many servers and sites in a safe way.

    As php mode, you will have to use php-fcgi or php-fpm and suexec must be enabled, then all php scripts will run as website user and website group. If thats not the case in your install, then check your .htaccess file, not that typo3 tried to reactivate mod_php by a .htaccess directive.

Share This Page