What Are The Lowest Possible Permissions for Typo3

What are the lowest possible permissions for TYPO3?

There is no need for write permissions on typo3/. This is only needed, if you want to install an system extension (what you should not do) and for some .htaccess files which could be created by the install tool (create them by hand, or change permissions afterwards).

Usually your FTP-User and your Webserver-User are different. So they should be in the same group. So you need to set permissions to 0770 (directorys) and 0660 (files) so you can upload files via FTP and edit them via TYPO3. Otherwise you upload an file via FTP with 0630 - and you will not be able to delete that file via TYPO3.

TYPO3, Plesk and permissions

Why do I have to set such high permissions?

With good configuration you don't. typo3 and t3lib need to be readonly. fileadmin, typo3conf, typo3temp, uploads need to be writeable but only to the user under which PHP runs.

Is the problem that I need to have such high permissions that the apache user is another than the ftp user and otherwise it doesn't work?

IMHO, as the PHP is run as CGI, it actually runs under different user than Apache. As files are generated by PHP and have its permissions, they might not be readable by Apache. Therefore you should have Apache and PHP in the same group and have files and permissions set on the per group basis.

Isn't there a way to have the same user for ftp and for apache?

That's a question for your host. Same group should do the job though.

Is only the old TYPO3 v. 4.2 needing such high permissions?

I think there's not any difference between v4.2 and new versions in this.

Are there other ways to change to a lower permission?

Yes, check who is who. You possibly have up to 3 users involved: Apache, PHP, FTP user. To access the files created by each other, they need to be in the same group and the files need to have permissions set for this group. Then check the TYPO3 settings for creation of new folders and files:

$TYPO3_CONF_VARS['BE']['createGroup'] = 'group_of_your_users';
$TYPO3_CONF_VARS['BE']['fileCreateMask'] = '0770';
$TYPO3_CONF_VARS['BE']['folderCreateMask'] = '0770';

Backend access rights for news records

No, this is not possible, since backend user permissions on record level are not implemented in TYPO3.

So you either have to separate the news records of the users in separate sysfolders or you could try to use hooks (e.g. $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/class.db_list_extra.inc']['getTable']) or XClass to customize TYPO3 backend to your needs. I do not recommend the latter, since the TYPO3 backend permission system is complex and you would need to make sure to restrict record access in several parts of TYPO3 (e.g. recordlist, element browser, related news field, ...)

TYPO3 User Management

Maybe the group does not have access to the subpages?

In the backend under System -> Access you can change the ownership of pages -
owner, group and all.

When editing access control of one page, you can change the depth to automatically adjust subpages.

Restrict access to Powermail upload folder

Adding a .htaccess file in the folder with "deny from all" will restrict the access to the files.
Maybe could the powermail extension automaticly add the htacces file on installation.

---

Related Topics