TYPO3 Core

Just to help direct people, this links to commit 2e3c9d5 from Christian Kuhn which was the Install Tool rewrite.

I believe the file :

/typo3/sysext/install/Classes/FolderStructure/DirectoryNode.php

Might be linked to this, as I identified some targetPermissions in there of 2770 which are linked to the issues I'm seeing. Hope this helps!!

It seems as if permissions are modified again prior to or during the first login, as I had to take the same corrective action with the find/chmod command after logging in for the first time.

(First login was a blank screen, presumably due to inability to write cached css)

In fact, if I "flush all caches" and log out, I'm presented with a broken css-less login page, I then run the CHMOD command again at the terminal to reset permissions, refresh the login page and it's back to normal again.

Evidently something feels obligated to reset the permissions or re-writes files with inadequate permissions, it's rather frustrating. I've not yet identified what's doing it and when but thought I'd leave and update.

Interacting with the extension manager also seems to break CSS (Again, permissions related).
Downloading extensions seems to work, but I can't activate/install them, though this might be version related rather than permissions, I have yet to find out.

Last install, the permissions where rwxrws--- which in many cases is pretty infuriating, although they do work well once set up and left alone.

It requires the user to either sudo all creation/management commands on the cmdline as www/apache, or add their user to the web group. On shared hosting, this may not be possible or appropriate, so I can see the current permissions set causing a lot of support enquiries / upset users.

Perhaps a toggle / option is needed for "Install with secure permissions" vs "Install with Other user access permissions" would be useful? I appreciate the devs usually work on locked down personal machines where their users are part of the www-data user group, but many people on various hosting providers won't have this luxury.

Benjamin. To be more precise, it does not set the setuid flag, but the setgid.

So it does make a lot of sense that the group is preserved for all files and folders in order to be accessible for the webserver.

In your case I consider 0755 a bit strange, because why do "others" need access to your document root?
A proper setup should ensure that the FTP user and the webserver share one group, to enable access for both of them.

I think the point that myself and Benjamin are alluding to is that many users are forced to work in shared hosting where the user/group setup is far from ideal, or the people who manage the hosting are unwilling to make amendments. In situations such as the more secure permissions settings as detailed here make it impossible to work with the installer, and then obviously Typo3. Unless one wants to either put off new users, or generate a massive amount of incoming support overhead, I would definitely recommend relaxing the permissions settings or, ideally, introducing an option (Dropdown / radio button) in the installer to choose between strict and insecure permissions settings.

Luckily on the install I trashed I had SSH access, I know many people who have hosting that is not even as accommodating as that and if the provided "solution" is to "Change hosting", you may as well be posting them a link to drupal.org :)

I like the idea of secure permissions, it's just I feel a great many people's setups aren't compatible.

Hello Markus

You are right, its the setgid, NOT the setuid.

And yes, the 0755 could also be 0700 (for directory). But "Others" still don't have access to my files/directories (even they have 0777) because my DocumentRoot dir is in my customer directory having the right 0700, which means NO access to all it files and subdirectories for others except the owner of this "customer folder". I have tested that.

The main problem is: I wanted to upgraded typo3 from 6.1.7 to 6.2.0beta3 and it failed very bad.

My website is hosted by Hostpoint, which is a big webhoster here in swiss. So I am very sure other users will have the same problem too if nothing changes until final release. And no, I don't work for Hostpoint and I dont think they are causing this issue because of some miscellaneous (I love this word) system configuration.

By the way I also had to change in Install Tool -> All configuration -> $TYPO3_CONF_VARS['BE']:
[BE][fileCreateMask] = 0660
[BE][folderCreateMask] = 2770
to
[BE][fileCreateMask] = 0644
[BE][folderCreateMask] = 0755

Above I never had to change before, and I did an upgrade and not a new fresh installation.

My website still doesn't work. I will report back when it does.

I upgraded to 6.2.0beta3 to help making typo3 better.

Best regards,
Benjamin Schmidt

At first, thanks to both of you for submitting issues and testing 6.2!

Regarding the All Configuration settings: I guess you need to set this now, since these settings are taken into account everywhere now. (FAL takes care of these)

I fully understand that on shared hosting you usually are not able to change the permissions. (I'm on multiple shared hostings as well, but fortunately never had issues with the directory permissions.)

The problem for me (I can only speak of myself here) is that I can't test such interesting permission setups. I also don't know Hostpoint, but I can tell you that one of the biggest hosters in Austria is also not capable of hosting TYPO3 (because of several problems) even though they pretend to.

I already added Ernesto, our release manager for 6.2, to this ticket and I can only hand this over to him. As far as I know we already have some tickets concerning the permission checking of the Install Tool and there are changes planned to be implemented before the final release.

My website is now working with typo3 version 6.2.0beta3 :)

• multicolumn #54650
• feedforward #54649
• stever_rsscontent (not active any more)

Still, please do not harden typo3 by default if it can cause this much problems.

Nobody really cares about security or privacy today. The very few do, don't have a computer/mobile phone and therefore cant even use typo3. Typo3 must just work and hardening shall be an option for experienced users. But this is just my opinion.

Happy New Year