Joomla from Permissions to the FTP Layer
This article summarizes the first hour of my introductory course to Joomla. It's a bit "thick" as it’s about system architecture concepts for which the user does not normally have professional knowledge. So try to go slowly, be patient and don’t get discouraged. Draw the examples in the text, copy the pictures and you will see that in the end you had fun.
NOTICE: THIS ARTICLE CONDENSES SEVERAL MONTHS OF COLLEGE TRAINING. IF YOU DON’T HAVE PAPER AND PENCIL, TO GO ALONG WITH THE EXAMPLES AND MUCH PATIENCE, READ ANOTHER ONE ;-)
We will see some issues that can become difficult to understand even though the purpose of this article is not to go deeply into them. We can go to the recommended additional readings at the end of the article afterwards. If you still have questions, write to me and we'll find a way to solve them.
Objective: To understand what and why there is the FTP layer in Joomla!
To begin with let's see what are the permissions of the files as they are the security basis of multiuser operating systems.
The way of organizing information in a conventional computer is by using files. Each file must have a name that identifies it. Historically and by convention the name is usually composed of two parts separated by a dot: the name and extension. First off the name helps us to recognize the use we give to the file, while the extension indicates the type of file. Some common extensions are:
. txt plain text file
. odt OpenOffice text file
. pdf file with a page and a standard design format
. exe executable file in Windows
. sh executable batch file in Linux
. php file containing a program in php language
. html file containing the code of an html page
Special types of files are the folders or directories. Internally the computer manages these as if they were just files to which the attribute of being a virtual container is added, for storing groups of data files and other directories (called subdirectories as they are inside another). But for what we will see in this article the treatment is identical as to normal files.
There are more special file types, such as hard and soft links, etc ... Well it applies also to those which we will see now. Anything that has a name in our operating system behaves as follows:
When the file is created it’s given a name which is done by a user who has entered his name and password on his computer (or automatically when installing the operating system he only created one user and configured it to start with that one by default).
So along with the file name the user who created it is also saved which is called the owner. This is VERY important, remember.
In the picture above we can also see that in addition to the file name, the date and time of its creation, the indicator of whether or not it’s a directory and the name of its owner, it also shows the name of the group to which it belongs.
What does "the group to which it belongs" mean? All users, at least, belong to their own group. When you create the user at the same time it creates a group with the same name. That way if a parent wants to access files from each of her two children, but without them being able to do the same with the parents and neither between them (the children), the first thing you have to do is add your user to the groups of your children.
Now a good father just wants to see things their children do without modifying or deleting them, and this is where permissions come into play.
We have three types of work groups that affect a file. Three? But.. we only saw two! The group type most important is the OWNER, the second one by order is the one of his GROUP, and the third type of group… is the rest of the users who aren’t the owner and those that belong to that group, in other words, who are OTHERS.
If you look at the first picture we see that below each file name is a series of letters which we have yet not seen. For the file called "progress" we see that the first letter you see on your line is "d", while in the other two that letter does not appear in the first position. With a little imagination we see that the first letter identifies whether the file is a "DIRECTORY" or just one file.
And from there the following NINE letters are ... the permissions!
Three permissions for each group. Three for the owner (USER), three for the group (GROUP) users who want to give a different permission to the owner and differentiate it from other users and three for all other users (OTHER).
Now to remember our binary!
The numbers in base 10 (0 through 9) are those commonly used in base 2 (0 to 1) are the ones that computers are using, and the equivalence between them is very simple.
In the blue part of the picture we have the "weight" which is the equivalent in decimal of the binary number. In the first column on the left the number is in decimal, the second column the number is in binary, and in the other the same number is in binary but broken up so we can add them more comfortably. So the binary number "0101", will have a decimal equivalence of "0 +4 +0 +1" i.e. "5", and the binary number "0111" is the same as "0 +4 +2 +1" in decimal, i.e. "7".
Seeing this we will go back now to our permissions:
Each group has three permits, from left to right: Read, Write, and Execute.
If you check the execute bit (001), this will be allowing the operating system to "run" the file as if it were a program. In Joomla, this is RARELY necessary as the language that it is built in (PHP) interprets our code which must be marked as executable.
The second bit (010), which is worth two in decimal is the writing. This permit ensures that you can create files (if it is a directory) and delete or overwrite a file if set to one.
The third bit (100), or most significant bit, is Read. If this file is not marked it cannot be read.
The possible combinations are:
000 The file is neither seen nor can be modified, or executed
001 The file can only be executed
010 The file can be modified
011 The file can be modified and is an executable
100 The file can only be consulted
101 The file that can be consulted is an executable
110 The file can be consulted and modified
111 The file has full access.
We recover the previous graph and now apply x our common sense. The owner may do whatever he wants with his files, i.e.: "7", the members of his group can only read: "4", same as other users of the system: "4", a normal configuration in Joomla! for the permissions of a file can be “744”.
If we think a little more about it ... the owner will never be able to execute the file, so the first "7" can be a "6". Why not increase a bit leaving the security level as "644"?
We will NEVER put the permissions to "777" or "666". Since we must never allow someone other than the owner to modify or execute these files if we are not sure it's necessary. In Joomla this is NEVER NEEDED.
Now we know how the file permissions work, but what does that have to do with the FTP layer?
To get to that answer we need to know how an Internet server works.
Consider the following image:
This is the basic structure of an Internet server ready to run our Joomla.
The INTERNET USER will open his browser and will write the web address he wants to go, for example, https://magazine.joomla.org/es first thing your computer does is ask the DNS server you have on your network configuration to the corresponding IP ADDRESS that name (magazine.joomla.org). Your DNS server if I has the response it will return it to the browser and if it does not have it then it will ask through the DNS network to the DNS master server of the domain that we want to see (in this case joomla.org). In any case the browser already knows that he has to look in the machine the IP ADDRESS 188.8.131.52
And from there the communication starts between the Users Internet IP and the server IP. But how?
All IP ADDRESSES have what are called "ports", which are like the doors of our neighbors within a portal home. The IP address would be the house number (Calle Mayor 10), and port identifies each house (first door right).
ALL TCP / IP communications (which are the protocol that web browsers work on) have to go from one IP and source port to a destination IP and port.
The first 1024 ports are defined as server access ports (you can see some of the most common on the image), and between 1025 and 65536as output client ports.
So the client IP (i.e. 184.108.40.206) from its output port, 43,560, sends a packet to magacine.joomla.org server (220.127.116.11) to see a website (port 80). When the server responds so does it between those two addresses and ports. So the packets know where they come from and where they should arrive.
Well we know how the USER and the SERVER communicates but, what do they say?
Now ... attention to this ... IT BECOMES MORE COMPLICATED!
The first thing that the web server asks to the browser of the Internet is the USER and GROUP (not his password) which with you have access to the files that are on the server. 99% of our browsers respond, "Come on man I do not know! Give me access to the user you have by default in your Apache configuration." And the server which is very nice... goes and gives it to him.
In other words, imagine while configuring our Apache server, we configured the default Internet users to connect with the user "apache" and the group "apache", because with these data they will connect independently even if after Joomla, or any other application, asks a user to access its functionality. We're talking about access to see the page from the web.
So the files that should be accessible from our web server (our Joomla!) should be allowed to "read" for the default user configured (apache from the group apache), otherwise the file will not be sent to the PHP interpreter for execution. This may not know what data from the DB must be accessed and may not return the resulting HTML file to run our Joomla! for it to be sent after to the web browser.
So the web server also assigns a user and a group to which you connect to the internet ... Amazing huh?
Why the FTP layer? You ask me while staring me eye to eye... Now we are closer to understanding it.
Imagine that I want to upload a new file. The directory where you want to upload must have permissions for their own "write". And who is the owner? In my example "apache: apache". That is the easiest way to upload an image or other files on the web is that the directory permissions where they are going to, to be at least "600".
But if all Internet users connected to the same user and group. Does this mean that anyone can upload a file or modify one that I have uploaded? ACTUALLY the "paradox" is this:
1. Web server files should be owned by a single one for all Internet users.
2. If we want to modify or create a file they must be writable.
3. ALL Internet users can modify those files
So any Internet user who accesses the web to a server that has a "700" (at least) on the permissions of the directories and files in the web area, you could do the following:
• Delete a file from another
• Modify a file from another
• Upload an executable program (virus, trojan, etc ...) and execute it
Okay!, Okay!, we have reached the FTP layer.
Joomla! implemented an additional security in anticipation that the server you're running is not well configured and this is called LAYER FTP. This means that it does not implement the equivalent of the "FTP Layer" from another system thereby protecting all its contents.
Let's see what makes the FTP layer.
When Joomla! needs to upload a file type that is not with http but connects to the FTP server to be included in your disk space which is the space where your web server data (is normally) with the username and password that we give it. This way we will have our web files owned by user "ftp_user" group "ftp_user" and cannot EVER be modified by the user "apache" from the group "apache"
So this way there is no way a "bad guy" can jump our Joomla! going directly to the space where its allocated at and get us into it an unwanted file.
Well ... ways ...there’s always ways. If the code of the extensions we use have a vulnerability that would allow for that bad guy to get in... But that's another story.
Remember that our server will be maintained by experts in Security Systems and can be configured to solve this problem without us having to activate this "countermeasure" in our Joomla! ... But from now on, if you activate the FTP layer, or don’t do it, it will be a decision we make because we understand what this means ...
And I ... what do you want me to say, I think it’s a great way to get started in the exciting world of Joomla! and the systems that support it.
If you made it up to here and I have contributed to something ... thanks for your patience!
Recommended additional readings
Hypertext Transfer Protocol -- HTTP/1.1 (English)
HTTP Wikipedia (Spanish)l
FTP Wikipedia (Spanish)
Sistema de archivos. Wikipedia (Spanish)
Permisos de archivos. Wikipedia (Spanish)
Permisos de archivos.ITE (Spanish)
Usuarios y Grupos de usuarios en Linux. ITE (Spanish)
FTP Layer. Joomla.org (English)
FTP Accounts details. Joomla.org (English)
Original article in Spanish: https://magazine.joomla.org/es (September issue)