Support

Site Restoration

#14332 FTP mode and file permissions

Posted in ‘Site restoration’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

PHP version
n/a
CMS Type
Other
CMS Version
n/a
Backup Tool Version
n/a
Kickstart version
n/a

user7806

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the tickets before posting? yes
Have I read the documentation before posting (which pages?)? kickstart user and troubleshooting guides
Joomla! version: (2.5.8)
PHP version: (5.2.17)
MySQL version: (unknown)
Host: (cirrushosting.com)
Akeeba Backup version which took the backup:Akeeba Backup Professional 3.6.10
Kickstart version used to extract the backup: 3.5.2

Description of my issue:

I would just like clarification on one point:

If kickstart is unable to extract the archive without using FTP mode, is it then a given that the site itself will require FTP mode in order to function?

I know I have used kickstart in the past on hosts where the extraction, installation and subsequent operation of the site proceeded smoothly without needing FTP. The kickstart troubleshooting makes it sound like that's rare, that "almost all" hosts do not support this.

On this particular host I can't get kickstart to run without turning on FTP etc.. Does that mean on this host the site is also going to require FTP full-time?

Β 

Thanks,

Chris.

nicholas
Akeeba Staff
Manager

In order to answer that question we need to know the user and group the web server runs under, the user and group the FTP server will use to write the files, the permissions of the files as well as if your server is using something like suPHP or mod_fpm (FastCGI Process Manager).

Moreover, just because you can assign 0777 permissions to everything and have no problem running the site doesn't mean that this is a secure or even a sane thing to do. Yes, even on the crapiest of servers you can do that and Joomla! will run just fine, but it's like bending over to grab the soap in the prison's shower. The hackers will be the other inmates in the shower. You get the picture.

For more information I would suggest beginning by reading the Security Information chapter of Akeeba Backup's documentation which discusses how users, ownership and permissions work. It's definitely not a light read, so I'd suggest trying to read a few times until you begin to understand how these concepts relate to each other. Then I'd recommend reading my 777: The number of the beast blog post where I discuss the perils of using 0777 permissions indiscriminately.

Coming back to your question, decent hosts either use virtualisation or suPHP, mod_itk or mod_fpm (or the equivalent if Apache is not used). In these cases the web server process for your site effectively runs under the same user and group as the one used by FTP. On these hosts Kickstart's FTP mode is not required. That's why Kickstart's FTP mode is presented as an exception, a rarity. If you need Kickstart's FTP mode then your shared server has a subpar configuration which makes it easier for hackers to compromise your site when another site has been compromised on the same server. This will happen depite you taking the best protection measuers due to the way the permissions and ownerships on such servers have to be set up. As a rule of thumb, whenever you see a server where you need to use Kickstart's FTP mode and/or Joomla!'s FTP mode, RUN! I've seen too many sites hacked like that on servers like that and their owners then going to Joomla!'s forum and complaining what a piece of shit Joomla! is. Joomla! itself is very secure, but it can only be as secure as the server it runs on. If the server has more holes that a slice of swiss cheese what kind of security wou;d you expect?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user7806

Nicholas writes:

As a rule of thumb, whenever you see a server where you need to use Kickstart's FTP mode and/or Joomla!'s FTP mode, RUN!

That's exactly what I was wondering about. In this case I contacted my host and thankfully they were able to change my php configuration to allow the site the work properly (no FTP, proper permissions).

Maybe the kickstart guide should be clearer about this? During the archive extraction when direct writing fails it makes it sound more like "no big deal, just use FTP mode instead". It might be helpful to say something like, "your host has a sub-par configuration that requires the use of FTP for file access. This will affect the not just the restoration but also the ongoing operation of the site."

Thanks for the help,

Chris.

nicholas
Akeeba Staff
Manager

Well, the thing is that there's only so much I can write in the documentation. Server setup is well beyond the scope of the documentation, or even the support I have to offer. Moreover, most people are not as likely to act upon my suggestions. At least, not likely to act upon my suggestions in a sensible way. During the last six years I've suffered a lot of abuse. Some of the all time "favorites" which led to me offering many features for a fee and refuse to do free support: I've been told to give up programming and start knitting (the dumb user had installed a third party plugin which broke his site), accused of hacking a site (the idiot who owned the site couldn't tell that his developer –who hadn't been paid for months– didn't finish the backup restoration), threatened to be beaten up (a scumbag demanded free support, without having a subscription, for the Professional version installed by the web development company he had just fired because they dared to demand being paid), threatened to have a contract on my life (the moron couldn't read Kickstart's instructions and threatened to have someone kill me when I told him to pay for support like anyone else), accused of spreadng malware through my Professional versions (the jackass couldn't even read the message from his antivirus) and told that I have no idea about server security (by a silly clown who said he updates his site only once in four  y e a r s  for "security reasons" – it's the equivalent of drinking milk which has expired four years ago for "sanitary reasons"). So, no, I don't think the documentation would be a good place to put this kind of advice. There are too many idiots out there who won't understand what I am talking about. Besides, I consider this something which should be self understood by web professionals. Alternatively you can always ask me and I can always point you to the articles I've written on the subject. This will at least spare me the unpleasant situations like the ones I mentioned above ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Summer vacations: Our support will be closed for replies and new tickets from August 6th to August 21st, 2022 due to summer vacations.