Ajado

How to set permissions for TYPO3 on the webserver

The challenge

There are several issues that have to be considered:

  1. backend users should be able to edit files in fileadmin through the filelist module
  2. FTP users should be able to edit files in the fileadmin through FTP
  3. developers want to edit files in extensions directly on the server
  4. TYPO3 needs write permissions for the typo3conf/ext directory to enable the installation of extensions on the server
  5. attackers should not be able to rewrite/delete system or extension files
     (actually they should not be able to rewrite/delete ANY files, but changing PHP code on the server is especially dangerous, because attackers at this point could take over your whole server)
  6. in case an intruder gets access to the server (e.g. by finding out the ftp-account data of your customer), you want as few files as possible to be affected by the attack.

 

Our aproach

We have written a small script which sets up the basic permissions for new TYPO3 installations: 

sudo su
# Extract the dummy package of the downloaded TYPO3 source into our t3_src directory
tar -C /var/www/ajado -xzf /srv/t3_src/dummy-4.4.4.tar.gz

# Move the dummy package into the newly created web root ("ajado")
mv -f /var/www/ajado/dummy-4.4.4/* /var/www/ajado/

# Create a symlink in the webroot, which points to the TYPO3 sources in the t3_src directory
ln -s -f /srv/t3_src/typo3_src-4.4.4 /var/www/ajado/typo3_src

# Make files writeable for owner and groups
chmod -R 775 /var/www/ajado/

# Set the owner of all files in the webroot to "ajado", which is the FTP user as well.
# This way we can edit all files over ftp, but the TYPO3 system files (which are sym-linked)
# In case some attacker takes over this FTP user, he/she will only be able to affect files in the "ajado" webroot, not on other webroots
chown -R ajado:ajado /var/www/ajado/

# Reset the owner of the directories which have to be writeable through TYPO3, which uses the www-data user
chown -R www-data:www-data /var/www/ajado/typo3temp/
chown -R www-data:www-data /var/www/ajado/typo3temp/
chown -R www-data:www-data /var/www/ajado/uploads/
chown -R www-data:www-data /var/www/ajado/fileadmin/
chown -R www-data:www-data /var/www/ajado/typo3conf/

# Create an ENABLE_INSTALL_TOOL file, so you can start configuring TYPO3 via install tool right away
touch /var/www/ajado/typo3conf/ENABLE_INSTALL_TOOL

# One more thing: Most of the time we want to edit extension files via FTP on the server. So we add the user "ajado" to the group  "www-data"
usermod -G www-data ajado

Don't forget to set the typo3conf/ext directory read-only for the www-data user when going public with your website- it will narrow down the possible targets for attackers!

 

chown -R ajado:ajado typo3conf/ext

 

How do you do it?

Any thoughts or improvements on our aproach? Feedback is always welcome!

Article last updated: Sunday, February 06 2011

blog comments powered by Disqus

Social Bookmarks

Contact

ajado web applications & content managment

Lilienbrunng. 18/51
1020 Wien
+43 1 2164844 27
info[at]ajado.com

Projekte