Joomla Web Hosting Canada

Joomla 1.5, suPHP and File Permissions

What is phpSuExec and suPHP?

They both do the same thing - provide an extra layer of security to PHP.

(su = switch user, allowing one user to "switch" to another if authorised)

PHPSuExec is no longer developed. We use suPHP.

The main reason for using suPHP is added security, but it also makes Joomla more user friendly in terms of file permissions (not needing to set or change them).

It is an Apache module that lets PHP scripts run as the owner of the script, instead of the web server.

This offers many security and usability enhancements to the world of PHP web serving. Mainly, when users create and modify files in their directory with PHP scripts they don't need to make those files world-writable.

This isolates malicious or runaway scripts, avoiding unwanted or un-authorised scripts from running for a lengthy period of time.

The homepage for suPHP is :
http://www.suphp.org

777 Permissions - ( the old less secure way - don't set files to 777 on our servers)

With non- suPHP configurations, PHP runs as an Apache Module. It executes as the user/group of the webserver which is usually "nobody", "httpd" or "apache". Under this mode, files or directories that you require your php scripts to be able to write to need 777 permissions (read/write/execute at user/group/world level). This is not very secure because it allows the webserver to write to the file, it also allows anyone else to read or write to the file.

Under suPHP:

• Any scripts that require 777 should use 755 instead.
• Generally, set folders to 755.
• Generally, set files to 644.

Files or directories that php scripts will write to no longer require 777 permissions. In fact, 777 permissions are no longer allowed. Having 777 permissions on your scripts or the directories they reside in will cause a "500 internal server error" when attempting to execute them, this is done to protect you from someone abusing your scripts. Your scripts and directories can now, only have a maximum of 755 permissions (read/write/execute by you, read/execute by everyone else).

Joomla Changes File Permissions When Saving ( eg. configuration.php and params.ini )

Joomla changes file permissions after saving some files to make sure they are left in a secure state. configuration.php (sets to 444)
and template params.ini (sets to 555)

The message sometimes displayed about files not being writable is to let you know the file has secure permissions. It is not a call to action to change file permissions. Normally you will not need to do anything.






If for some reason the message says the file is writable, it should change to unwritable after saving.
The best way to check if settings are indeed being edited is to save and then re-open to confirm the new settings have been written.

.htaccess directives now go in php.ini

Under the old Apache Module mode it was possible to manipulate the PHP settings from within a ".htaccess" file placed in the script's top-level directory, this was also recursively applied to all other directories below it.

For example this would turn on the php setting "magic_quotes_gpc" with this line in .htaccess:

php_value magic_quotes_gpc on

When PHP is running with suPHP, manipulating the PHP settings is still possible however you can no longer make use of a ".htaccess" file. Using .htaccess with the required PHP prefix of "php_value" will cause a "500 internal server error" when accessing the scripts. Php is no longer running as an Apache module, thus Apache is unable to handle .htaccess directives any longer.

If your host has, or is, implementing suPHP, all "php_value" directives should be removed from .htaccess files to avoid the 500 internal server error. Instead, you will now be creating and using your own "Local php.ini" file to manipulate the desired php settings.

What is a php.ini file?
The php.ini file is a configuration file that the server looks at to see what PHP options have been made available to the server or what their setting are, if different from the server's default php.ini. While the name may seem advanced to those unfamiliar with it, it is in essence a simple text file with the name php.ini

How to create a php.ini file
To create a php.ini file, just open up a text editor, add in the lines you need and save the file. You can name the file whatever you wish when saving, to ensure the correct FTP transfer mode is used, you might wish to name it "php.ini.txt". Once you have configured all your settings, upload the file to the directory where your script is located and then rename it back to php.ini

For example you can turn on the php setting "magic_quotes_gpc" with this line in php.ini:

magic_quotes_gpc = on

• php.ini files are not applied recursively to lower directories. If you need the same functionality across all lower directories, the php.ini file will need to be copied to each directory that will have .php scripts running from within them.
• There is also a php.ini file utility in cPanel called php.ini EzConfig which is recursive. This GUI creates a master php.ini file in the Home directory. It can be overridden with individual manually created php.ini files on a per directory basis.

Read more about EzConfig here

Click here for Description of core php.ini directives

Joomla Under suPHP: File permissions Trouble Shooting

1. Check that the php script that you are attempting to execute has permissions of no more than 755 - 644 will work just fine normally, this is not something that will need to be changed in most cases.
2. Check that the directory permissions that the script resides within is set to a maximum of 755. This also includes directories that the script would need to have access to.
3. Check that you do not have a .htaccess file with php_values within it. They will cause a 500 Internal server error, when attempting to execute the script. The php_values will need to be removed from your .htaccess file and a php.ini put in its place, containing the php directives as explained above.