Folder permissions required for XenForo

Is chmod 0777 really required?

I tried to chown -R admin1:admin1 *, but seems not sufficient.
Is there better way on ApisCP than 777 permission?

You can change the user that apache runs under to the username that you have set up for the domain, then it will run under php-fpm as adminX/adminX and you won’t need 777

1 Like

Oh what page on the dashboard I can do that? Thanks.

Under Web -> PHP Pools

1 Like

Nice, that was easy.

You can automatically assign the pool to the account admin instead of apache on account creation. Defaulting your plan’s apache,webuser => None will do that. Otherwise,

EditDomain -c apache,webuser=None
1 Like

Follow up question, how to make this as default on every account/domain?
On the dashboard by the way.
Thanks.

https://docs.apiscp.com/admin/Plans/#creating-plans

1 Like

Creating a Manifest is a more secure approach to this. Running same-user negates any benefits of Fortification and makes it operate in single-user mode like cPanel/Plesk.

Web > Web Apps > Manifests > Create

Edit the manifest with,

base:
# database configuration, used for snapshots
database:
  # "mysql" or "pgsql"
  type: mysql
  # database user
  user:
  # user password - can leave blank
  password:
  # database name
  db:
  # database host
  host: localhost
  # optional prefix attached to tables
  prefix:
fortification:
  # Fortification profiles, called via webapp:fortify($hostname, $path, $type)
  max:
    - data
    - internal_data
# Populated by Web > Web Apps > Sign Manifest or webapp:sign()
signature:
# Set by manifest on sign
manifest_version:

Sign the manifest, then you can apply max fortification to the site. Whenever you need to update Xenforo, go to Web > Web Apps > Fortification > Web App Write Mode to allow write access. Filling in the database details would allow snapshots to take a copy of your database.

It’s a tradeoff between convenience and security.


On 777, it’s important to look at the visibility of others on the server. Since each user is isolated into its own filesystem slice with BoxFS other in the permission set “other” doesn’t matter much. If you have multiple users in the same group - PHP-FPM user included - then 7 in the set “group” would allow them read/write/delete access. Fortification above would open permissions only to the PHP-FPM user assuming it’s apache,webuser=None.

1 Like

Thanks for the detailed answer, still needs a lot of reading before I can fully understand those new terms :).

Does it mean less secure only?
But the performance isn’t affected?

This doesn’t work with XF though as those folder always needs write access so avatar/attachments can be stored.

Correct

That’s the purpose of a Manifest above. It’ll always permit write-access to those named directories.

1 Like