Hi, On Tue, Sep 6, 2016 at 6:42 PM, Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote: > On 09/06/2016 01:25 PM, Mike Wright wrote: >> On 09/06/2016 01:11 PM, Alex wrote: >>> Hi, >>> >>> I've set up a virtual host for a joomla website and having some >>> permissions problems. I've seen numerous configurations online about >>> how to set umask for the apache user, but none have worked, including >>> creating a systemd file >>> (/etc/systemd/system/multi-user.target.wants/httpd.service) with the >>> following: >> >>> Umask=0006 <<<<<<<< ? >> >> That comes out to 771 : rwxrwx--x. Maybe 0002 ? > > Apache normally runs as apache:apache. Joomla is just a PHP application > running under Apache, so if you're using mod_php, Apache is what will > actually be doing the reading and writing of the files and the > apache:apache user should have rwx access to the entire tree. > > If you're running PHP-FPM, then the user that PHP is running as should > have own the tree and have rwx access to it, while Apache should have > at least r-x access to the tree. You could do that by putting the PHP > user in the apache group, giving ownership of the tree to the PHP user > and giving group r-x privileges: > > useradd -d /path/to/website -g apache phpuser > cd /path/to/website > chown -R phpuser:apache * > chmod -R 750 * > > or something like that. Also watch out for selinux denials. "Here be > dragons!" Some time ago, I had posted a message to this list regarding apache permissions in a DocumentRoot with joomla. The problem I was having was with the user doing local modifications (joomadmin) not being able to modify files uploaded or changed by the joomla apache user (apache). Numerous suggestions were made, including changing all the files to be sgid write, adding the users to a common group, and other, more complicated recommendations. I'm really surprised at the state of security by many of these suggestions. In an ideal world, the apache user should have no write ability, except perhaps to some temp directory. Instead, people are recommending providing long-standing write permissions to the entire DocumentRoot where the apache user can read and write virtually every file, potentially taking down the entire website if there's ever an apache vulnerability. Even with that aside, the sgid option didn't work for me because the umask is still 0022, which creates new directories without write permission for the group. I've searched and searched, and there does not appear to be a working solution to changing the umask for the apache user in fedora24. Other suggestions involve basically an suid script (suPHP), but it seems complicated and security-prone. Another called PHP-FPM looks very involved and also isn't included with the default apache install due to security implications. The suPHP option seems quite old, with no updates since 2013 that I can find. I'm open to the PHP-FPM option, but I wanted to first ask the list how they're handing the situation? Are you making the remote user (sFTP, etc) the same as apache? Are you using PHP-FPM? If so, is there a Fedora guide you recommend? Are you changing the umask to be able to put the two users in the same group? If so, how? I tried editing the unit service but that didn't have any effect. Any ideas greatly appreciated. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
