On Tue, Sep 6, 2016 at 6:42 PM, Rick Stevens <ricks(a)alldigital.com> wrote:
On 09/06/2016 01:25 PM, Mike Wright wrote:
> On 09/06/2016 01:11 PM, Alex wrote:
>> I've set up a virtual host for a joomla website and having some
>> permissions problems. I've seen numerous configurations online about
>> how to set umask for the apache user, but none have worked, including
>> creating a systemd file
>> (/etc/systemd/system/multi-user.target.wants/httpd.service) with the
>> Umask=0006 <<<<<<<< ?
> That comes out to 771 : rwxrwx--x. Maybe 0002 ?
Apache normally runs as apache:apache. Joomla is just a PHP application
running under Apache, so if you're using mod_php, Apache is what will
actually be doing the reading and writing of the files and the
apache:apache user should have rwx access to the entire tree.
If you're running PHP-FPM, then the user that PHP is running as should
have own the tree and have rwx access to it, while Apache should have
at least r-x access to the tree. You could do that by putting the PHP
user in the apache group, giving ownership of the tree to the PHP user
and giving group r-x privileges:
useradd -d /path/to/website -g apache phpuser
chown -R phpuser:apache *
chmod -R 750 *
or something like that. Also watch out for selinux denials. "Here be
Some time ago, I had posted a message to this list regarding apache
permissions in a DocumentRoot with joomla. The problem I was having
was with the user doing local modifications (joomadmin) not being able
to modify files uploaded or changed by the joomla apache user
Numerous suggestions were made, including changing all the files to be
sgid write, adding the users to a common group, and other, more
I'm really surprised at the state of security by many of these
suggestions. In an ideal world, the apache user should have no write
ability, except perhaps to some temp directory. Instead, people are
recommending providing long-standing write permissions to the entire
DocumentRoot where the apache user can read and write virtually every
file, potentially taking down the entire website if there's ever an
Even with that aside, the sgid option didn't work for me because the
umask is still 0022, which creates new directories without write
permission for the group. I've searched and searched, and there does
not appear to be a working solution to changing the umask for the
apache user in fedora24.
Other suggestions involve basically an suid script (suPHP), but it
seems complicated and security-prone. Another called PHP-FPM looks
very involved and also isn't included with the default apache install
due to security implications.
The suPHP option seems quite old, with no updates since 2013 that I
can find. I'm open to the PHP-FPM option, but I wanted to first ask
the list how they're handing the situation?
Are you making the remote user (sFTP, etc) the same as apache? Are you
using PHP-FPM? If so, is there a Fedora guide you recommend? Are you
changing the umask to be able to put the two users in the same group?
If so, how? I tried editing the unit service but that didn't have any
Any ideas greatly appreciated.