TYPO3-Documentation · linawolf · May 28, 2025 · May 23, 2025 · May 24, 2025 · May 24, 2025
diff --git a/Documentation/Security/GuidelinesAdministrators/FileDirectoryPermissions.rst b/Documentation/Security/GuidelinesAdministrators/FileDirectoryPermissions.rst
@@ -1,53 +1,117 @@
-.. include:: /Includes.rst.txt
-.. index:: pair: Security guidelines; File permissions
-.. _security-file-directory-permissions:
+:navigation-title: File permissions
 
+..  include:: /Includes.rst.txt
+..  index:: pair: Security guidelines; File permissions
+..  _security-file-directory-permissions:
+
+================================================
+Secure file permissions (operating system level)
+================================================
+
+This chapter explains how to securely configure file and directory permissions
+at the operating system level for TYPO3 installations. It focuses on who can
+read and write to files on disk.
+
+To learn how to prevent public access via the web server, see
+:ref:`Restrict public file access in the web server <security-restrict-access-server-level>`.
+
+A common risk is allowing one user to read or modify another client's files—
+especially in shared environments. A misconfigured server where all sites run
+as the same user can allow cross-site scripting, data theft, or manipulation of
+TYPO3 files such as :file:`config/system/settings.php`.
+
+TYPO3 can be installed either in classic (non-Composer) mode or using a
+Composer-based setup. Each approach requires a slightly different file
+permission strategy.
+
+..  contents:: Table of contents
+
+.. _file-permissions-composer:
+
+Composer-based installations
+============================
+
+In Composer-based TYPO3 installations, the document root is typically a
+:file:`public/` directory. Core files, extensions, and the :file:`vendor/` directory
+reside outside the web root, improving security by design.
+
+**Recommendations:**
+
+-   Set the web server's document root to :file:`public/` only.
+-   Grant the web server user write access to:
+
+    -   :file:`public/fileadmin/`
+    -   :file:`public/typo3temp/`
+    -   :file:`var/` (used for cache, logs, sessions, etc.)
+
+-   The :file:`public/_assets/` directory must be **readable** by the web server.
+    It is generated during deployment or Composer operations and should not be
+    writable at runtime.
+-   The :file:`config/` directory should be **read-only** for the web server in
+    production environments **unless** certain TYPO3 features require write access:
+
+    -   To allow changing site configurations via the backend, the web server needs
+        write access to :file:`config/sites/`.
+    -   To allow system maintainers to update settings via the Admin Tools module,
+        the web server needs write access to :file:`config/system/settings.php`.
+
+-   Keep :file:`vendor/`, :file:`composer.json`, and :file:`public/index.php`
+    read-only for the web server.
+
+
+.. _file-permissions-classic:
+
+Classic-mode installations
 ==========================
-File/directory permissions
-==========================
 
-..  todo: This describes the situation in Classic mode installations only
-
-The correct and secure setup of the underlying server is an essential
-prerequisite for a secure web application. Well-considered access
-permissions on files and directories are an important part of this
-strategy. However, too strict permissions may stop TYPO3 from working
-properly and/or restrict integrators or editors from using all
-features of the CMS. The section
-:ref:`TYPO3 administration <t3coreapi:administration>`
-provides further information about the install procedure.
-
-We do not need to mention that only privileged system users should
-have read/write access to files and directories inside the web root.
-In most cases these are only users such as "root" and the user, that
-the web server runs as (e.g. `www-data`). On some systems (e.g. shared
-hosting environments), the web server user can be a specific user,
-depending on the system configuration.
-
-An important security measure for systems on which multiple users run
-their websites (e.g. various clients on a shared server) is to ensure
-that one user cannot access files in another client's web root. This
-server misconfiguration of file/directory permissions may occur if all
-virtual hosts run as the same user, for example the default web server
-user. The risk with this setup is, that a script on another virtual
-host includes files from the TYPO3 instance or writes or manipulates
-files. The TYPO3 configuration file :file:`config/system/settings.php`, which
-contains sensitive data, would be a typical example.
-
-Besides the strict separation between multiple virtual hosts, it is
-possible to revoke any write permissions for the web server user (e.g.
-`www-data`) to the TYPO3 source directory in general. In other words:
-only allow write access to resources, the web server user requires to
-have write access for, such as :file:`fileadmin/`, :file:`typo3conf/`,
-:file:`typo3temp/`.
-
-On UNIX/Linux based systems, a secure configuration can be achieved by
-setting the owner and group of directories and files correctly, as
-well as their specific access rights (read/write/execute). Even if
-users need write access to the :file:`fileadmin/` directory (besides the web
-server user), this can be technically achieved.
-
-It is not recommended to allow TYPO3 editors and other unprivileged
-users FTP, SFTP, SSH, WebDAV, etc. access to the web server's root
-directory or any sub-directory of it. See :ref:`other services <security-other-services>`
-for further explanations.
+In classic TYPO3 installations, all TYPO3 files (Core, extensions, uploads) are located
+inside the web server's document root. This increases the risk of file exposure or
+accidental manipulation, making secure filesystem permissions essential.
+
+**Recommendations:**
+
+-   On shared hosting, ensure each virtual host runs under a separate system user.
+-   Revoke write access for the web server user to the TYPO3 core source directories,
+    especially :file:`typo3/sysext/` (core system extensions) and :file:`vendor/`
+-   Allow write access only to:
+
+    -   :file:`fileadmin/`
+    -   :file:`typo3temp/`
+
+    - Only grant write access to subdirectories within :file:`typo3conf/` as needed:
+
+    -   :file:`typo3conf/ext/`, :file:`typo3conf/autoload/`, :file:`typo3conf/PackageStates.php`:
+        Required if you want to install or update extensions using the Extension Manager.
+
+    -   :file:`typo3conf/sites/`: Stores site configuration; writable if managing sites
+        through the backend.
+
+    -   :file:`typo3conf/system/`: Stores system settings; writable if modifying settings
+        via the Admin Tools → Settings module.
+
+    -   :file:`typo3conf/l10n/`: Must be writable to allow downloading or updating
+        translation files via the Admin Tools.
+
+-   The rest of the :file:`typo3conf/` directory should remain read-only to the
+    web server where possible.
+
+-   On UNIX/Linux systems, enforce appropriate user/group ownership and permissions
+    (e.g., `chmod`, `chown`).
+
+..  _security-check-permissions-admin-tools:
+
+Check file permissions in the backend
+=====================================
+
+TYPO3 provides a built-in backend tool to verify directory permissions.
+
+You can access it via:
+
+:guilabel:`Admin Tools > Environment > Directory Status`
+
+This view lists key directories such as :file:`fileadmin/`, :file:`config/`,
+:file:`var/`, and others, and shows whether the current web server user has
+the recommend level of access.
+
+Use this tool to confirm that required directories are writable after
+deployment or when debugging permission-related issues.
diff --git a/Documentation/Security/GuidelinesAdministrators/RestrictAccessToFiles.rst b/Documentation/Security/GuidelinesAdministrators/RestrictAccessToFiles.rst
@@ -1,16 +1,21 @@
-:navigation-title: Restrict File Access
+:navigation-title: Restrict HTTP access
 
 ..  include:: /Includes.rst.txt
 ..  _security-restrict-access-server-level:
 
-============================================
-Restrict access to files at the server level
-============================================
+====================
+Restrict HTTP access
+====================
 
-TYPO3 installations can either use a classic mode (non-Composer) or a
-Composer-based approach. File access and web server configuration differ
-significantly between these setups. This chapter outlines recommendations
-for both cases.
+This chapter explains how to configure your web server (Apache, NGINX, IIS)
+to prevent public access to sensitive files in a TYPO3 installation. TYPO3 can
+be installed in classic (non-Composer) or Composer-based mode, and web server
+configuration differs significantly between the two. This chapter outlines
+recommendations for both setups.
+
+If you are looking to control which system users and processes can access files
+at the operating system level, see
+:ref:`Secure file permissions (operating system level) <security-file-directory-permissions>`.
 
 ..  contents:: Table of contents