Joomla, suPHP and File Permissions

Since our new server infrastructure run with suPHP some client got error with Joomla installation, some user used to SET all files to 777.

777 permission is disabled.

What is phpSuExec and suPHP? They both do the same thing – provide an extra layer of security to PHP.
(su = switch user, allowing one user to “switch” to another if authorised)
PHPSuExec is no longer developed.

We use suPHP. The main reason for using suPHP is added security, but it also makes Joomla and other script more user friendly in terms of file permissions (not needing to set or change them). It is an Apache module that lets PHP scripts run as the owner of the script, instead of the web server.

This offers many security and usability enhancements to the world of PHP web serving. Mainly, when users create and modify files in their directory with PHP scripts they don’t need to make those files world-writable.

This isolates malicious or runaway scripts, avoiding unwanted or un-authorised scripts from running for a lengthy period of time.

The homepage for suPHP is :
http://www.suphp.org

777 Permissions

( the old less secure way – don’t set files to 777 on our servers)

With non- suPHP configurations, PHP runs as an Apache Module. It executes as the user/group of the webserver which is usually “nobody”, “httpd” or “apache”. Under this mode, files or directories that you require your php scripts to be able to write to need 777 permissions (read/write/execute at user/group/world level). This is not very secure because it allows the webserver to write to the file, it also allows anyone else to read or write to the file.

Under suPHP:

  • Any scripts that require 777 should use 755 instead.
  • Generally, set folders to 755.
  • Generally, set files to 644.

Files or directories that php scripts will write to no longer require 777 permissions. In fact, 777 permissions are no longer allowed. Having 777 permissions on your scripts or the directories they reside in will cause a “500 internal server error” when attempting to execute them, this is done to protect you from someone abusing your scripts. Your scripts and directories can now, only have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else).

Joomla Changes File Permissions When Saving ( eg. configuration.php and params.ini )

Joomla changes file permissions after saving some files to make sure they are left in a secure state. configuration.php (sets to 444)
and template params.ini (sets to 555)

The message sometimes displayed about files not being writable is to let you know the file has secure permissions. It is not a call to action to change file permissions. Normally you will not need to do anything.

If for some reason the message says the file is writable, it should change to unwritable after saving.

The best way to check if settings are indeed being edited is to save and then re-open to confirm the new settings have been written.

Joomla Under suPHP: File permissions Trouble Shooting

  1. Check that the php script that you are attempting to execute has permissions of no more than 755 – 644 will work just fine normally, this is not something that will need to be changed in most cases.
  2. Check that the directory permissions that the script resides within is set to a maximum of 755. This also includes directories that the script would need to have access to.
  3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script. The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.