Recent blog posts

more

socialnetworks

Technorati Profile
View Eric Fouarge's profile on LinkedIn

You are hereSecuring TYPO3 the nazi way

Securing TYPO3 the nazi way

By admin - Posted on 19 September 2008

Filesystem permissions

How does the UNIX-filesystem permissions interact with TYPO3?

The answer is simple: TYPO3 runs as the user, PHP "runs" as. This could depend on the httpd.conf file of Apache. Default is "nobody" as far as I know. On Debian installations it is "www-data".

The main thing is, that TYPO3 must be able to write to certain folders in order for the file-administration to work. This means that after installation of TYPO3, you should alter the user of the scripts and folders, probably with the "chown" command.

If you have access to the webserver through FTP, you might be uploading scripts with yourself as user. These scripts might be executable by Apache as PHP-scripts but when the scripts need to write to eg. the upload-folder, this folder might be owned by "you" and thereby TYPO3 does not work. Therefore; the folders TYPO3 need write-access to must be writeable by the Apache-user.

Folders that requires write access are fileadmin/* and uploads/* for the frontend and typo3temp/ for both frontend and backend. Furthermore for extensions directories typo3/ext/ and typo3conf/ and sub directories must be writeable for PHP as well.

Another issue is if you mount user-directories (see the localconf-file). You may mount a directory to which you have ftp-access. But if you do so, files uploaded to this directory may not be deleted by TYPO3. That's normally not a problem - you can delete them again by ftp, but it's much worse if you do not enable read-access for the Apache-user to that directory. Then the directory-structure will not be read and it does not show up on the file-tab.

Experience suggests that if you run in a two-user mode (one use for FTP, another for PHP-script execution) you should do this to make TYPO3 work seemlessly:

  1. Make each user a member of the other users group

  2. Set "775" permissions on files and folders that should be writeable by both

  3. Set "[user1].[user2]" owner/group on files and folders

Write protection of source code

The source code needs to be writeable at certain points. Lets define some rules:

Backend / Source code:

  1. Generally you can write protect the whole TYPO3 source code (that is the typo3_src/* (more specifically typo3/ and t3lib/) directories and their contents)

  2. ... except: "typo3/ext/" if you wish TYPO3 to install global extensions for you.

Frontend (local website):

  1. typo3temp/, uploads/ (+ subdirs) and typo3conf/ (+ subdirs) must be writeable.

The ownership of the files should be the webserver user executing the scripts.

On unix-boxes you can use this command:

chmod 555 typo3_src/ -R

Notice: A typical mistake on UNIX systems regarding the write permissions is if you look at the write permission for eg. “typo3conf/localconf.php” and see that this file should be writeable. If TYPO3 tells you that it is not writeable it's most likely because you didn't allow PHP to write to the typo3conf/ directory as well!

Changing the default “typo3/” directory

By default TYPO3 is administrated from the directory “typo3/”. You can change (rename) that so the backend is available from another directory, eg. “my_typo3_admin_dir/”. But the frontend and backend is tied together in some ways that mean you'll have to change parts of the source code. That is relatively easy if you follow these guidelines:

  1. Rename the “typo3/” dir/softlink to “my_typo3_admin_dir/”. Notice that the backend directory must always be a sub directory to the website (extensions inside + frontend edit relies on the backend to be there). Further it cannot be a sub-sub-directory either! (This will work only partially and is currently not intended to be fixed).

  2. Search for the string 'define("TYPO3_mainDir"'. At least four scripts will be found: typo3/sysext/cms/tslib/index_ts.php (the index.php file), typo3/sysext/cms/tslib/showpic.php, t3lib/thumbs.php and typo3/init.php. With each instance change the constant definition from “typo3/” to “my_typo3_admin_dir/”.

  3. Any local extensions (those installed in typo3conf/ext/) that has backend modules in them (those with conf.php files) MUST have their $BACK_PATH definition in the conf.php file changed! If they are installed by the extension manager everything should be fine, but if not, you must change manually. You will receive an error something like this:Warning: Failed opening '../../../../typo3/init.php' for inclusion...

  4. Rarely: The extension “direct_mail” has two cron-scripts, dmailerd.phpcron and returnmail.phpsh. They have “typo3/” hardcoded as admin directory as well. If you use these scripts, you will have to change that too.

  5. Finally you should remove the “temp_CACHED_ps*” files found in typo3conf/ before you test the new settings. Those will be re-generated with adjusted paths on the first executing of a TYPO3 script. On UNIX systems something like this will do the trick:

    rm typo3conf/temp_CACHED_ps*