File and folder permissions

This is a key security issue, but unfortunately many of the Joomla site-owners need guidance on this.

First, let's see what you should know:

Joomla is a typical LAMP (Linux/Apache/MySQL/PHP) application, even if runs on many other platforms too. The entire access rights "philosophy" is relying on the native environment's settings.

There are 3 typical user levels in this environment, the Owner - which is the user who created the file, the Group - the usergroup he belongs and World - aka the rest of the world, and 3 typical access modes, Read, Write and Execute.

The combination of these is the so called access matrix, and the resulting rights are represented usually by a 3 digit scheme, ranging from 000 - meaning nobody can do nothing with a given file/folder, to 777, wich means that the file/folder can be used by anyone in any of possible modes. Alternatively the access rights are represented with rwx triplets (symbolizing the Read/Write/eXecute rights), preceded with an extra symbol, so the alternative representation of the two cases above is:

000    ----------


777    -rwxrwxrwx

Before we go deeper in detail, an important fact to know:

The site is displayed for your visitors by the Apache engine, which have a specific user with his user-rights. This user is named in the most cases "nobody".

You, as the client have your own identity on the hosting environment, let's name this user "cpanel-user". For the easier management of your assets, generally the cpanel-user and the nobody user are members of the same group, meaning they are sharing couple, but not all the rights on given files/folders. You must be aware of this fact, when you want to tweak the rights on files, depending on the tools you use, the result can be dramatically different.

So obviously you have 2 different approaches basically: dealing with your files/folders as the cpanel-user, or as the Apache user (yeah, as "nobody").

A. Tools used as "cpanel-user"

Obviously, the tools provided in the hosting packages by your hoster. Typically the cPanel's file manager and your FTP account.

You can log in through FTP in many interesting ways, we recommend FileZilla as a great Open Source product, but you can use a plethora of alternatives, from Total Commander to CuteFTP, these all are in fact just skins over the raw FTP protocols, one of the oldest networking tools around. Using these can be rewarding, and can have security benefits if they are used properly, but in same time can ruin your efforts to secure your site if you don't know, what you do.

B. The "nobody's" tool-set

These are generally Joomla installabletools, as JoomlaeXplorer/NinjaeXplorer, and the ability to set the default rights from the main site configuration.php, or another add-ons which are used through HTTP protocol, as for example some of available WYSIWYG editors.

An important note: if you set for example as "cpanel-user" the access right for a given file to 644 or -rw-r--r-- the file will be readable by anyone and writable by you - aka the "cpanel-user", but will not be writable by anyone else, even the "nobody" user. In contrast, if the same rights are set as the "nobody" user, for example from within the JoomlaeXplorer, the file will be writable by anyone managing through HTTP protocol to take over your site... and exactly that's what the hackers are doing.

So if you want to lock down your site, do it as "cpanel-user"! Otherwise you just acquire a false sense of security, nothing more...