All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WordPress - how to give enough folder/file access to let WP auto update?
Maybe a dumb question, but I have had some issues with this topic, and maybe get a one time fix for this.
WordPress can auto update it's self, and also when I login to WordPress I can quickly update themes and plugins.
But I often get issues with folder/file rights, and thing stops up. Like this:
I have a script that set thees rights to folders, but I understand that giving 775 rights to folders and files is not a good idea? Nice if somebody can tell me why.
chmod 775 /home/site1/public_html/wp-content chmod -R 775 /home/site1/public_html/wp-content/languages/ chmod -R 775 /home/site1/public_html/wp-content/plugins/ chmod -R 775 /home/site1/public_html/wp-content/themes/ chmod -R 775 /home/site1/public_html/wp-content/upgrade/ chmod 775 /home/site1/public_html/wp-admin/ chmod 775 /home/site1/public_html/wp-includes/
With that script, everything is working great with auto upgrade and updating of themes and plugins. But I'm giving too high rights to too much?
What will the best setup be?
And, after each Auto update of WordPress (from one version to another) the folder and file rights is reset back to standard. So after one update, the next update will not work because of the lacking of folder/file rights. Anything I can do to stop that? Or do I need my script for that?
Comments
I use chown -R to give the folder ownership to nginx, and it works for me.
I was going to post a script here but cloudflare says no.
https://gist.github.com/Adirael/3383404
644 for files and 755 for folders is what I'm using for many of my WP installations.
As for actually answering something; you can set a cron job to take care of that.
Set the correct owner of the files
Forgot that I also had this is my old script:
chown -R user:group /home/site1/public_htmlBut the script @mikho linked to did the trick, I just added thees two lines plus the chown line:
find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \; find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;Now it's working like a charm. Of course, not tested on a WP version auto update. But updating themes and plugins work great.
It should also work
Personally I find it risky to give the web server write permissions, although this is commonly done. I use a local FTP server to do the updates, which is a little convenient, since each time a username and a password needs to be specified, but it is a lot safer. Most security breaches boil down to having found a way to write a malicious script through some security hole. Without the web server having write permission this is significantly more difficult. Just a thought.
@M66B the way I have used to update my sites (around 20 of them) is that I download WordPress on one of Windows servers, then upload it to a folder on my hosting server, then run a script that update all sites with the new files. This has worked fine, little more work then just let WP auto update.
So you think my old system is a better system then the new one?
how do you set up/manage your websites after all?
if there is more than one per server, the files of each shouldn't belong to the webserver anyways. and if they belong to an unpriviledged user then the webserver should run with something that uses that user for reading/writing, like mod_ruid2, mpm-itk, suexec whatever...
if you use a setup like that permissions shouldn't be a problem, and also auto-update and such things normally work out of the box and without the need for ftp.
The files/folders of each sites belongs to the site user. I use
chown -R site1:site1 /home/site1/public_htmlIs that not correct?
What I do is
chown -R user:user /home/user/web/site.com/public_htmlIt works great!
assuming there is a user (and group) added to the system called site1 this should be correct yes.
but you also would need to use some su implementation on your webserver to make it use that specific user when using this files... so it also depends on how you set up your vhost and such ;-)
also if user and group matches and you don't use secondary groups it shouldn't make a difference in using 775 (664) or 755 (644). that said please don't add user to the webserver groups or use the webserver as group directly.
I'm using Virtualmin to manage my sites, so I do not setup any thing on vhost etc.
I really hope Virtualmin do all that?
Again, Virtualmin create one user/group for each site. I do not change any of that, not adding other users or groups.
well, I'm a simple man, nginx+mariadb+php-fpm is all i need.
running chown www-data:www-data -R * on the document root folder will fix the problem for most people.
in which "www-data" will depend on nginx configuration
that should be fine, but probably doesn't tell if your apache makes any real use of it... I haven't used virtualmin for a long time, so can't tell what the initial/default apache config is for this and if it uses something like suexec or the mentioned alternatives...
if you upload anything within wordpress, like images and media you could have a look into the upload folder who owns this uploaded file. if it is www-data you're most probably running mod-php without any user switching, hence your problems, which might reoccurr because fixing the owner and folder permissions eventually is only temporary until www-data writes new files/folders etc.
as said I can't exactly tell how virtualmin handles this... you might want to look what apache2 mpm is installed and used. what linux distro are you using?
You can 'get by' doing that, the problem is if one of your sites gets owned (bearing in mind this is Wordpress), owned site would be able to access all other sites using the same user. If you're aware of that, great. Perhaps it's more of a issue when it's other people's websites, as it's harder to explain away why bad things happen.
if that the case then you can simply add new user for each vhost.
all can be done through ssh
if my site gets owned, i would prefer to give it separated server. well, it's only me
I see that it's answered already. But however dockerized WP has proper permissions set. Just in case if you want to try.
I can see a possible issue here. When uploading a file on site1 the user and group is set to apache, not the site owner. Why, and how to solve it?
Because the server process writes the wp-content/uploads folder. It must be fine and if you want the site owner also to have the access, owner can join www-data group.
I'm pretty sure nginx just needs read only permissions for the directory. It's PHP that needs write permissions. On my setup, I just have a fpm pool for each site, and it works great. I set the owner and the pool user to the same, and I haven't seen any issues.
aeh... nope. doing this will enable the user to read and probably write everything the apache group is allowed to. if you want to do this, you don't really need separate user at all...
as said, your apache probably is just running mpm-prefork with mod-php so everything the apache does is done as the apache user, hence the files and folder created through wordpress will be owned by apache. but the user apache can't modify files owned by the user site1 (and should not), that's why you see errors on automatic installations or updates as this needs to overwrite some files already there.
you need to change your apache installion to run everything from site1 as user site1.
I've read somewhere that there most probably is an option in virtualmin to make apache use suexec but I would probably prefer to install mpm-itk instead, as it is a good and quick dropin replacement for prefork.
you only need to add that assignUserID {user}{user} alike somewhere to the vhost-template...
sorry I can't be more of help, I don't have an actual virtualmin instance running, so can't tell exactly where to put what to make it work. maybe someone using virtualmin can chime in to clarify ;-)
what linux are you on? debian? centos?
CentOS 6.8
But if I understand it correct, it's not a issue that files uploaded get the apache:apache as user/group, and my script is changing the rights to site1:site1.
Since I have 20 sites on my server, changing the apache settings can cause issues for other sites?
yes this can cause further issues, as all sites need to be addressed as their respective user and all files should be owned by the respective user as well.
actually it seems everything on your webserver runs as the very same user, apache. so you probably have a mixed bag of files under every site. everything php/apache has created is owned by apache everything else that has been there before is owned by the siteuser.
you may keep on running into permission problems if you don't allow apache to access everything (bad pratice chmod 777) or if you want to modify/download/delete files the apache has created and so on.
I understand perfectly that such changes are in no way easy on a production server, but take in account that the actual situation is far from optimal regarding security and preventing from further workarounds like running scripts to reset permissions and such.
after all a change should consist of three major steps:
figure how to tell virtualmin to put assignuserid into vhost and have it rewrite all vhosts
fix ownership/permission for every site to the siteuser
install mpm-itk over mpm-prefork and restart apache
I am no fan of centos either so maybe limited in making the right suggestions but may be you can do some kind of test... setup a spare vps or droplet on any hourly provider like you would normally (assuming you have done that several times or any kind of image ready) with this setup you could have a look into how using mpm-itk or mod_ruid2 could work and how to configure virtualmin accordingly. use a plain wordpress install for testing or something like that.
@Falzo thank you for all the help as always. Using a test VPS and installation can be a good thing to address this issue. I actually have a test VM with a complete backup of all my sites and settings, so I can use that for looking into this issue.
But so long this issues causes no security issues, I can take my time.
it's not the best way to handle things security wise, as a breach of one site may enable the attacker to compromise other sites too, but it should not raise any direct security problems itself in first place. let's say your setup is more likely not advisable anymore, you have probably lived a long time without trouble with it and as one can read in this thread, it is not uncommon at all that people do run as apache user all over the place and if permission problems occur just change owners, groups or make all things world-writable ;-)
What's the situation? Multiple users who can't do anything but ftp upload into their site?
Each one with his own wp?
One thing I noted is that most had user=group (e.g. siteA:siteA) which might not be the best thing to do. Rather one might want to have all users seperated (siteA, siteB, ...) with the server running as 'www', and then all of them being in group 'www'.
Second remark: Who is 'other'? Is there one (authorized)? If not, have the third octal digit 0 (zero). So directories 770 (as the group is used) and files 660.
The situation is that I manage around 20 WordPress sites on one server. Luckily I do not give any access to my customers, I manage everything, including updating/changing info on their sites. So there are no issues, beside my own issues.
I have no issues with uploading files from WP. But I have had issues with WP auto update not working, and also when I try to update themes and plugins from each WP installation.
This issues has now been solved with a couple of lines in a script.
Still, new files uploaded in WP, is given apache:apache rights, and not site1:site1 rights.
But when running my script, the rights is set correctly for each site.
To quick update all my sites with new WP version and/or plugins I upload WP/plugin files to a folder on my server, then run a .sh file that copy the files to all WP sites on that server. Then change the owner/group to the right one for each site. (aka site1:site1) then set the wp-content folder rights to 755 and file rights to 664
So everything can be fixed using a script. But the question is if there is any point to let the system manage the user/groups rights and the folder and file rights by it self.
Or just stick with my current setup...
I pull back. apache + php + wp is so far off from what I do (and how) that others may be in a better position to advise you.