Joomla permissions in CentOS/ISPConfig 3 setup

Discussion in 'Tips/Tricks/Mods' started by willko, Aug 19, 2010.

  1. willko

    willko New Member

    Hi all,

    I followed the CentOS x64 5.5 perfect server guide but also added the gnome desktop and a few utils. The server works really well and I am thoroughly impressed with CentOS & ISPConfig.

    I have installed joomla on a site and ran into the permissions obstacle when trying to install/upload any modules/templates etc... (# JFTP::store: Bad response # Warning! Failed to move file.)

    As ISPConfig 3 handles the creation/setup of websites via link files/folders & uses "clients" to specify individual site security, the setting of permissions hinges on assigning ownership & group rights to the correct objects.

    For example "root" should be the owner and "client1" should be the group on my server. The default joomla install does not assign group permissions correctly. To fix this here is what I did:

    N.B. - AFAIK, This process is unique to EACH CLIENT (not website) that ISPConfig creates - a change in client means different group membership...

    chown -hR -v -f root:[clientX] [joomla install directory]/*
    (e.g. chown -hR -v -f root:client1 web/*)
    (you can check the messages log after a failed joomla upload/install to see the owner & group that needs permissions)

    PERMISSIONS: ( "find ." starts the find from current directory so navigate appropriately)
    find . -type f -exec chmod 644 {} \;   ("f" for files)
    find . -type d -exec chmod 775 {} \;  ("d" for directories)
    I did try 755 as suggested by an older post, but without write permissions the group to which the "client" belongs is unable to access the necessary files. 775 works fine and I don't think it exposes anything dangerous.

    Anyway that sorted permissions/requirements for files/folders. Everything works very well and I am extremely thankful for this forum and the many helpful people who contribute.
    Last edited: Aug 19, 2010
  2. maberglund

    maberglund New Member

    Minimize security risk?

    I used apache instead of root, and everything seems to work.
    Does that seem reasonable in an effort to minimize possible escalations?

    Just a thought.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    You seem to ahve used wrong settings for your site as there are no changes of the website owners etc. nescessary, neither to get joomla working nor for security. The correct settings for a joomla site are:

    1) Select security level "High" in ISPConfig under System > server Config on the web tab.
    2) In the website settings, enable the suexec checkbox and select "php-fcgi" as php method.

    This ensures that all scripts are run in a security wrapper under the website user.

    Do not use mod_php. Also useing user "apache" is a security risk as this allows attacks from other sites on the same server.
  4. willko

    willko New Member

    I've also found this set of commands useful for existing Joomla sites (migration etc...) this from terminal of the directory CONTAINING the "/web" directory - e.g. "/var/www/clients/client1/web18"
    Also make sure the CLIENT is correct before pasting this script!!!

    chown -hR -v -f root:client0 web/*
    cd web
    find . -type f -exec chmod 644 {} \;
    find . -type d -exec chmod 775 {} \;
    find . -type f -name "configuration.php" -exec chmod 664 {} \;
    find . -type f -name "*.ini" -exec chmod 664 {} \;
    find . -type f -name "*.css" -exec chmod 664 {} \;
    find . -type f -name ".htaccess" -exec chmod 755 {} \;
    Hope that helps
    Last edited: Nov 17, 2010
  5. emmaluc

    emmaluc New Member

    I don't understand how it works...i have installed a new website (a joomla CMS)
    I have created a new user on my ispconfig.
    I use filezilla with my root account, to upload my files on my new website.
    After the installation, I don't have the correct rights to change my files on the joomal configuration.
    Can you explain me the steps to do that ?
    I open my terminal & connect me as SSH user on my website. That's step is ok :)
    But after i don't know how to do it...
    If someone can help a beginner :)
  6. tek

    tek New Member

    Quite likely you have already resolved your issue but I'll answer it for anyone else who runs into this.
    Ill use 2 example sites each with different client owners. Assuming your know how to connect via SSH and you understand a few linux commands you can easily resolve your permissions issue. Ill also bring up some very useful Joomla Components that you might find helpful. (been running Joomla since it was Mambo Server back in 2001)

    This is also more specific to Ubuntu and other Debian derivatives. Your paths may be different if your running some other linux distro.

    So once you connect via SSH as a regular user you will need to become root to change file and directory permissions. Most modern distro's use sudo to accomplish this. You should never log in as root directly nor allow SSH root logins.

    So connect to your server first, lets assume your box's hostname or FQDN is and your user account is an actual Linux User Account called username. The dollarsign indicates your a regular user versus being root on the box so the command is
    ssh your_username@hostname
    $ssh [email protected]
    Once you type your password and hit enter you should see a prompt that looks like this.

    Now become root, using sudo -s. If no other command is specified, an interactive shell is executed.
    $sudo -s

    Now type your password again and if your username is listed in the /etc/sudoers file and you type your password correctly your prompt will change from a $ sign to a # sign. This indicates your now running as root.

    This is way more dangerous than running with scissors so once you are done with your administration steps always exit back out by typing exit and hitting enter.

    Once you have become root though now you need to go to where you have joomla installed. For this example lets say you have a website that is and that is under client 1 and its your first website added to your ISPconfig system and your second site is listed under client2 and its the second website added to your system and its URL is

    First change to folder for your website which should be something like /var/www/clients/client1/web1
    Do that by running this:
    #cd /var/www/clients/client1/web1
    once your there run ls -alh to see what your permission are currently and your specifically looking at the folder called web, that is your document root that sits inside of the /var/www/clients/client1/web1 folder... You should see something like this..

    #drwx--x--- 20 web1 client1 4.0K Feb 3 18:16 web

    This is telling you that the web folder is owned by web1 and is in the usergroup client1 and its permissions are 710
    Now run

    #ls -alh web

    to see what permissions are for everything inside of your web folder
    # ls -alh web
    total 160K
    drwx--x--x 22 web1 client1 4.0K Jul 4 14:51 .
    drwxr-xr-x 9 root root 4.0K Nov 14 2014 ..
    drwxr-xr-x 10 web1 client1 4.0K May 7 2014 administrator
    drwxr-xr-x 2 web1 client1 4.0K May 6 2014 bin
    drwxr-xr-x 15 web1 client1 12K Jul 17 08:36 cache
    drwxr-xr-x 2 web1 client1 4.0K May 6 2014 cli
    drwxr-xr-x 33 web1 client1 4.0K Jul 7 19:40 components
    -r--r--r-- 1 web1 client1 3.4K Jul 17 07:35 configuration.php
    drwxr-xr-x 3 web1 client1 4.0K May 6 2014 docs
    drwxr-xr-x 11 web1 client1 4.0K May 6 2014 dosetup
    drwxr-xr-x 2 web1 client1 4.0K Nov 14 2014 error
    -rwxr-xr-- 1 web1 client1 7.2K Nov 14 2014 favicon.ico
    -rw-r--r-- 1 root root 3.1K Apr 30 2014 .htaccess
    -rw-r--r-- 1 web1 client1 2.9K Jul 2 16:34 htaccess.txt
    drwxr-xr-x 15 web1 client1 4.0K Jun 28 09:14 images
    drwxr-xr-x 2 web1 client1 4.0K May 6 2014 includes
    -rw-r--r-- 1 web1 client1 1.2K Jul 2 16:34 index.php
    drwxr-xr-x 4 web1 client1 4.0K May 6 2014 language
    drwxr-xr-x 5 web1 client1 4.0K Mar 18 21:19 layouts
    drwxr-xr-x 12 web1 client1 4.0K Jul 4 14:50 libraries
    -rw-r--r-- 1 web1 client1 18K Jul 2 16:34 LICENSE.txt
    drwxr-xr-x 2 web1 client1 4.0K May 6 2014 logs
    drwxr-xr-x 32 web1 client1 4.0K Jun 24 07:36 media
    drwxr-xr-x 52 web1 client1 4.0K Jun 28 09:14 modules
    drwxr-xr-x 24 web1 client1 4.0K Jun 26 09:19 plugins
    -rw-r--r-- 1 web1 client1 4.2K Jul 2 16:34 README.txt
    -rw-r--r-- 1 web1 client1 865 May 6 2014 robots.txt
    -rw-r--r-- 1 web1 client1 842 Jul 2 16:34 robots.txt.dist
    drwxr-xr-x 2 web1 client1 4.0K Jun 28 03:50 stats
    drwxr-xr-x 6 web1 client1 4.0K May 6 2014 templates
    drwxr-xr-x 2 web1 client1 4.0K Jul 17 07:35 tmp
    -rw-r--r-- 1 web1 client1 1.7K Jul 2 16:34 web.config.txt

    These permissions are correct, however you might notice that the .htaccess file is owned by the user root and group root and its permissions are 644.
    Most likely depending on how your moving your files up to your website your files will either end up being owned by root (if your using ssh / scp to move them up) or they will be owned by your ftp useraccount name.

    So you need all files and folders to be owned by web1 and by the group client1. Easy way to do that is by running this command
    #chown -R web1:client1 /var/www/clients/client1/web1/web/*

    This will change every file and folder to be in the group client1 with web1 as the owner.
    Now do the same thing with your second domain name, first cd to that folder.
    #cd /var/www/clients/client2/web2/web

    then run the command again for that folder
    #chown -R web2:client2 /var/www/clients/client2/web2/web/*

    Now you should be able to at least load up Joomla and install any needed components or your template. If you still can't check the permissions on the folder called tmp in your document root. If they are not set right you won't be able to write files to the tmp directory which is where they end up getting installed from. Your permissions for your first site should be

    #drwxr-xr-x 2 web1 client1 4.0K Jul 17 07:35 tmp

    If they are not you may need to change them by running this
    #chmod 755 /var/www/clients/client1/web1/web/tmp

    Now rather than searching every file and folder in your Joomla installations and making changes across what might be hundreds of files and folders lets work smarter... Not harder..
    Now install the Joomla Component called Admin Tools by Akeeba and while your downloading it you really should also download akeebabackup. Both are free but require you to be registered on their site to download them. You can get both from

    Akeeba Backup makes backups of your complete site, all files and folders, images and the database plus drops it into a nice single file with an installer that is similar to the Joomla installer which makes it easy to move your site to a dev server or just use it to make regular backups... ok, its a little more complicated than that but installing it and making backups is point and click simple..

    Akeeba Admin Tools has a section specific to file permissions that should help resolve any other permission related issues you may be having. Don't forget to log back out of the root shell by typing exit and hitting enter.
    Hope this helps someone.
  7. emmaluc

    emmaluc New Member

    Thx a lot for your precious help !!
    Now, when i want to install a new project on ispconfig, i need to create a FTP access user and install my website with this account (not with the root account like i did it). It works, no problems with permissions.

Share This Page