I am using Mambo 4.5.4. Mambo is writing files I upload via the Mambo interface to a group called Apache. This becomes a problem when you try to download a file and your ftp user is not in the same group. How can I resolve this permissions problem? What is the most secure and best practice?

All files uploaded to the website through ftp or the mambo 4.5.4 interface should all be under the same group. Do I need to alter code in mambo?

If so which ones and with what code? Your help is kindly appreciated.

Most secure would be to use PHP as suexec which, instead of running PHP as Apache module (PHP as Apache process owner), runs PHP (and so anything PHP-based) as CGI (under your own username) which means you don't need / can't use overly broad perms like octal 0777. There are some small problems like you will need to move any php_flags from a .htaccess files to per-directory php.ini files IIRC but all in all it will give you a more secure setup and since every file uploaded will be owned by you access problems should no longer be a problem.

Doesn't mean transition to PHPsuexec is a no-brainer or won't break things. If you want to make sure you can survive the transition it would be best to set up a (local) copy of the server and research and document what you need to change to make the transition. That way the risk of fscking up your production host can be minimised and you can practice all you want.

Are you saying this will make Mambo more secure than it has ever been? If yes, that sounds great! Perhaps this is a different version of Mambo that can be offered. Have you tried this before? Would you be willing to work with someone on the mambo forum to get something like this going?

Your idea can resolve a lot of security problems with CMS if it works they way you mentioned. But for right now, it may be more than I am able to do. What would make this a burden for me is changing the mambo files whenever I update with a patch (which is often). Although I like your idea, it sounds very secure but it's time to implement during upgrade. Does anyone else have suggestions?

The suexec method has been known for some time, is promoted, documented and discussed all over teh intarweb and is used by several hosting providers, it really is nothing new. Adding more strict security measures like this implies potential problems with some functionality and more maintenance. It's the usual trade-off. That's why I suggested using a testbed. Unless you have the knowledge and experience to determine that beforehand, saying it will be a burden w/o having tried and tested it seems somewhat premature to me. I suggest you read some (PHP)suexec docs first.

I will post this discussion over at Joomla and Mambo's web sites in their security areas. I am not sure if any are aware of this. Perhaps this can help them make mambo more secure. Thank you very much.

P.S. I will read these documents as well that you suggested. I am not against the idea, I am looking at it from a perspective of ease since my day to day operations include all aspects of managing the web server (maintaining the server itself, updating content, marketing, db maintenance etc.). So I streamline areas. Your suggestion is something the security team at both CMS's should consider. If they already have, I would like to know what their opinions are on it. Like I said, overall it sounds like it's needed. But that is not my area of expertise.

Actually you could read http://forum.joomla.org/index.php?board=322.0 and then search both Joomla and Mambo fora for "suexec" and see what it turns up. In the Mambo fora there's quite a few threads to read I see.