Support

I would use suPHP, unless you expect massive traffic (several hundreds of millions of pageviews per month) on the server. In that case use 644 permissions for files and 0755 for directories. Give the parent directory of your web root 0700 permissions. E.g. if your web root is /home/myuser/public_html, give 0700 permissions to /home/myuser and 0755 permissions to /home/myuser/public_html and its subdirectories. Why? Because the 0700 will "neuter" 0777 permissions, effectively making them equal to 0755 (that's a little known UNIX trick!).

DSO and CGI are like your old shared hosting platform, so you will suffer for having to set too wide permissions. None will just disable PHP which isn't really helpful in running a Joomla! site :)

You're welcome! Yes, suPHP should be on, that's correct. Enabling suPHP is the safest best to having a secure web server environment.

Since you have just changed to suPHP, you will need to do some work over SSH to get everything working properly. The most important thing to know is your UNIX username and group name for your account. Let's say if it is foo (username) and bar (group name). Using SSH and logged in as root, go inside your web root and type this:

chown -Rf foo:bar *
find . -type d -exec chmod 0755 {} \;
find . -type f -exec chmod 0644 {} \;

These commands change the ownership of all of the files to belong to your account and fix the permissions to same settings. From that point you're ready and you will probably never have to worry about file permissions again!

The group name is the hardest thing to find. Usually it's "users", but you should better ask your host about it as it depends on the server setup. You may see its name or numeric ID (both work just fine with the commands above) if you use Admin Tools' permission configuration. The folder/file browser will show the user name and group name of the owner of each file in the user:group format.

"nobody" is a valid user and group name which is commonly used with web-only user accounts. So, yes, use "nobody" as your group name.

Each line is a different command. Do not try to run them all in one line!

You have to run this command as root. If you are not a root user you can not change the ownership of files and directories (makes sense, otherwise what's the point of permissions?). That's why I said that you have to type these commands as root :)

He he! I don't think that your server guy has that much experience working with *NIX systems (including Linux). The 0700 trick is a very old trick (it exists since the 70s!) but he doesn't get it. The whole idea is that if a file is owned by user A and has 0777 permissions, user B won't be able to write to it. This is a major step towards the security of a site in a shared host environment. cPanel readily sets the permissions of users' home directories to 0700 for this reason. Maybe you should talk your host into investing in Red Hat Certified Engineer training for his engineers. After all, cPanel runs on CentOS which is just a spin-off distro of Red Hat Enterprise Linux.

Regarding suPHP, their comments are spot on, but there's more to that. Since suPHP makes PHP run under the owner user and group of the entry point file (index.php), if all files and directories are owned by your account's user then everything is writable by PHP. This eliminates the need for insecure 0777 permissions. It pretty much means that everything in your account's directory is owned by your account's users and anyone else will be simply denied access. That's a huge feature and comes with the price of running PHP in CGI mode, so you can't use APC and will have a performance problem if serving several millions of pageviews per day.

The other thing you correctly spotted is that security is a process, not a task. You can never claim that you have achieved a "secure server configuration". There's always something more to do and it's generally something you are not aware of since the very beginning. I regularly overview the security of my servers and adjust it. I regularly do maintenance work, from permissions fixing to upgrading software to reviewing logs and adjusting .htaccess rules. It's a never ending process. Feedback from other people is of paramount importance to this process, as it helps you figure out blank spots in your security setup.