Bug 204241 - www/joomla3: insecure default permissions
Summary: www/joomla3: insecure default permissions
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Larry Rosenman
Keywords: needs-patch
Depends on:
Reported: 2015-11-03 03:49 UTC by Jason Unovitch
Modified: 2018-01-16 17:43 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-11-03 03:49:34 UTC
In bug 204016 comment 2 I noted joomla installs all files owned by WWWOWN/WWWGRP.  These default permissions are not favorable and should be hardened to a more sane default.

Additional Reference:  https://docs.joomla.org/Security_Checklist/Joomla!_Setup
Comment 1 Adam Weinberger freebsd_committer 2016-12-21 22:14:21 UTC
Larry Rosenman is the new maintainer of joomla3; I'll take the PR for now.

I agree completely with Jason that this is really not a good situation. In bug #215058 Larry shared an email from the Joomla team about this, copied here:

For extension installation and core updates to work, the web space does need to have appropriate write permissions. There are some files that can be locked to read only (such as configuration.php, which Joomla does when saving the global configuration) as they generally won't change once in place.

For Joomla to run, files don't need to be writable except for the cache and logs directories (the tmp directory is mainly used during install/update, though some extensions may use it as well), but if someone were to take extra steps to lock down their filesystem, they would need to make the files writable long enough to perform any updates then switch it back.

So. In addition to this being a security problem, this also violates a fundamental design principle of FreeBSD ports, namely that files installed by pkg shouldn't change. The email says it needs to write to files/dirs for two reasons:

1) Core updates --- do core updates happen separately from version bumps? If not, then only port updates should be updating those files.

2) Extensions --- can the extension location be set manually? If so, then perhaps it should default to somewhere else with looser permissions (though I'm not sure that this is much better).
Comment 2 Larry Rosenman freebsd_committer 2016-12-21 22:54:30 UTC
core updates don't happen except by version bump. (to the best of my knowledge).

I'll look to see if there's a better way with extensions, but am NOT hopeful, at least whilst we run under apache.
Comment 3 Larry Rosenman freebsd_committer 2016-12-21 23:18:24 UTC
I really wish they were more transparent about what the installer does.....

Comment 4 Walter Schwarzenfeld freebsd_triage 2018-01-16 09:02:04 UTC
joomla3 has version 3.8.3. is this still relevant?
Comment 5 Larry Rosenman freebsd_committer 2018-01-16 17:43:00 UTC
Yes it is.