204241 – www/joomla3: insecure default permissions

Bug 204241 - www/joomla3: insecure default permissions

Summary: www/joomla3: insecure default permissions

Status:	Closed Overcome By Events

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Larry Rosenman

URL:
Keywords:	needs-patch

Depends on:
Blocks:

Reported:	2015-11-03 03:49 UTC by Jason Unovitch
Modified:	2023-08-30 16:55 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Unovitch freebsd_committer

2015-11-03 03:49:34 UTC

In bug 204016 comment 2 I noted joomla installs all files owned by WWWOWN/WWWGRP.  These default permissions are not favorable and should be hardened to a more sane default.

Additional Reference:  https://docs.joomla.org/Security_Checklist/Joomla!_Setup

Comment 1 Adam Weinberger freebsd_committer

2016-12-21 22:14:21 UTC

Larry Rosenman is the new maintainer of joomla3; I'll take the PR for now.

I agree completely with Jason that this is really not a good situation. In bug #215058 Larry shared an email from the Joomla team about this, copied here:

"""
For extension installation and core updates to work, the web space does need to have appropriate write permissions. There are some files that can be locked to read only (such as configuration.php, which Joomla does when saving the global configuration) as they generally won't change once in place.

For Joomla to run, files don't need to be writable except for the cache and logs directories (the tmp directory is mainly used during install/update, though some extensions may use it as well), but if someone were to take extra steps to lock down their filesystem, they would need to make the files writable long enough to perform any updates then switch it back.
"""

So. In addition to this being a security problem, this also violates a fundamental design principle of FreeBSD ports, namely that files installed by pkg shouldn't change. The email says it needs to write to files/dirs for two reasons:

1) Core updates --- do core updates happen separately from version bumps? If not, then only port updates should be updating those files.

2) Extensions --- can the extension location be set manually? If so, then perhaps it should default to somewhere else with looser permissions (though I'm not sure that this is much better).

Comment 2 Larry Rosenman freebsd_committer

2016-12-21 22:54:30 UTC

core updates don't happen except by version bump. (to the best of my knowledge).

I'll look to see if there's a better way with extensions, but am NOT hopeful, at least whilst we run under apache.

Comment 3 Larry Rosenman freebsd_committer

2016-12-21 23:18:24 UTC

I really wish they were more transparent about what the installer does.....

https://docs.joomla.org/Installing_an_extension

Comment 4 Walter Schwarzenfeld 2018-01-16 09:02:04 UTC

joomla3 has version 3.8.3. is this still relevant?

Comment 5 Larry Rosenman freebsd_committer

2018-01-16 17:43:00 UTC

Yes it is.

Comment 6 Muhammad Moinur Rahman freebsd_committer

2023-08-30 16:55:45 UTC

Joomla 3 has been removed from the tree.