In bug 204016 comment 2 I noted joomla installs all files owned by WWWOWN/WWWGRP. These default permissions are not favorable and should be hardened to a more sane default.
Additional Reference: https://docs.joomla.org/Security_Checklist/Joomla!_Setup
Larry Rosenman is the new maintainer of joomla3; I'll take the PR for now.
I agree completely with Jason that this is really not a good situation. In bug #215058 Larry shared an email from the Joomla team about this, copied here:
For extension installation and core updates to work, the web space does need to have appropriate write permissions. There are some files that can be locked to read only (such as configuration.php, which Joomla does when saving the global configuration) as they generally won't change once in place.
For Joomla to run, files don't need to be writable except for the cache and logs directories (the tmp directory is mainly used during install/update, though some extensions may use it as well), but if someone were to take extra steps to lock down their filesystem, they would need to make the files writable long enough to perform any updates then switch it back.
So. In addition to this being a security problem, this also violates a fundamental design principle of FreeBSD ports, namely that files installed by pkg shouldn't change. The email says it needs to write to files/dirs for two reasons:
1) Core updates --- do core updates happen separately from version bumps? If not, then only port updates should be updating those files.
2) Extensions --- can the extension location be set manually? If so, then perhaps it should default to somewhere else with looser permissions (though I'm not sure that this is much better).
core updates don't happen except by version bump. (to the best of my knowledge).
I'll look to see if there's a better way with extensions, but am NOT hopeful, at least whilst we run under apache.
I really wish they were more transparent about what the installer does.....
joomla3 has version 3.8.3. is this still relevant?
Yes it is.