Joomla Tools Suite - Part 3 (Permissions Audit)
A critical part of Joomla security is file and directory permissions. By default Joomla does not enforce strict permissions, and these may lead to having permissions which are too weak, make it easy for your site to be compromised.
Permissions in Joomla are a weird and (wonderful?) animal. This is because each hosting server usually have their own configurations and defining a set of permissions which work on all hosts is practically impossible. Having said this, there are recommendations that one should follow, and certain permissions which one should defintely avoid. There is a very good Joomla permissions overview , which is highly recommended.
Just a brief cutting from the above article:
Owner (User) relates to username
The Owner (User) is normally you, these permissions will be enforced on your hosting account name.
Group relates to usergroup
The Group permissions will be enforced on other people that are in the same group as you, within a hosting environment, there is very rarely other people in the same group as you. This protects your files and directories from being made available to anybody else who may also have a hosting account on the same server as you.
Other relates to everyone else
The Other permissions, these will be enforced on anybody else on the server that is either not you or not in your group. So in a Web Serving environment, remembering that no-one else is normally in your group, then this is everybody else accessing the server except for you.
Joomla Recommended Permissions
Joomla default recommends the following generic settings
Files = 644 and Directories = 755
These permissions would allow, for files;
644 = rw- r-- r-- = Owner has Read and Write
Group has Read only
Other has Read only
and for directories;
755 = rwx r-x r-x = Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only
If you have setup your permissions to work with these permissions and Joomla complains that some folders are unwriteable, then you may have configured your permissions incorrectly, or you might have encountered a Joomla unfriendly host.
Permissions one should avoid at all costs is giving Other group any write permission on any file / directory. The biggest security sin one can commit is to change files / folders to 777 (everyone can do anything), and forget them like this!
Joomla Tools Suite - Permissions Audit
So how does the Permissions Audit work, and what can it do for you? The permissions audit tool, goes through all files and directories and checks for any for file or directory which does not conform to the recommended permissions and which may thus post a threat to your site. Many times you may have uploaded templates, components, forums, or any other files which might have not had the correct permissions setup, and these misconfigurations will be found by the Permissions Audit tool.
It is very easy to go through and determine that a particular file or folder does not have the recommended settings, because the tool highlights any potential risks. What you would need to do then is, browse to the file / folder using FTP software, and change the permissions to correct permissions.
Part 4 - Removing unecessary files/ components and how unused components and / or files can make your site vulnerable.