[SATLUG] WordPress / Apache problem on Ubuntu

Daniel J. Givens daniel at rugmonster.org
Tue Jan 18 17:43:41 CST 2011


On 1/18/2011 12:33 PM, Eric Haugen wrote:
> I think we are having a permissions issue on one of our test
> webservers.  In order for WordPress to function correctly Apache needs
> to have recursive ownership of /var/www/ (or whatever directory for a
> virtual host).  It seems to be working fine except for when our
> outside developer needs to get in and make adjustments to the theme.
> At that time he claims he is "locked out".  After the phone call I
> then have to go in and recursively change the permissions to his
> username for the duration of his session.
>
> Is there a way I can modify the permissions so our developer can get
> in when they need to, while at the same time have our person who is
> transferring content from the old site be able to make changes through
> the WordPress interface?

On every web server I personally have, I setup two groups:

web-write
httpd-write

Every user that's going to need to write to files, they go in both 
groups. The user Apache (or nginx in my case) runs as goes into httpd-write.

Next, I change the umask for Apache by adding the following line to it's 
init script toward the top before anything else (at least on RHEL/CentOS 
boxes):

umask 002

It will be important to use the init script to restart the service 
rather than using apachectl.

I also make sure the normal users have the same umask set via 
/etc/bashrc. On my CentOS box, this is the default for non-root users.

If the dev is uploading files via FTP, you'll need to take the 
appropriate steps for the service to use that umask as well. For SFTP, 
it's a little more convoluted, but I can help with that if that's what 
he's using.

Okay... permissions!

Do NOT give Apache full write access to the whole site. I can't tell you 
how many site and server compromises I've seen come out of doing that. 
What you want to do is give Apache access to write only to the 
directories it needs to. Since it uses FTP for managing a lot of things 
server side, it really comes down to a couple of directories. For my WP 
site, these are the directories with web server write access:

/wp-content/themes
/wp-content/uploads
/wp-content/cache

And because I have a plugin that automatically generates a sitemap, 
those are writable by the web server as well:

/sitemap.xml
/sitemap.xml.gz

So, with the right paths identified, you need to set the ownership and 
permissions properly. These are as easy as I can make it.

- Set the group ownership

chgrp -R web-write /path/to/htdocs/
chgrp -R httpd-write /path/to/htdocs/themes /path/to/htdocs/uploads 
/path/to/htdocs/cache

- Make directories writable by group and setgid, so new files and 
directories retain the parent directory's group owner

find /path/to/htdocs/ -type d -exec chmod 2775 {} \;

- Make the existing files group writable

find /path/to/htdocs/ -type f -exec chmod 665 {} \;

That will give you a good least-privilege, basic set of permissions. No 
crazy sudo access. Provided you have the correct umask setup, it should 
just work. It all hinges on the umask (default permissions) by which the 
files and directories are created.

You will need to test things and see if there are other directories that 
Apache needs write access to and adjust appropriately. But with it being 
as simple as changing the group owner, it should be easy to straighten 
out and not interrupt your dev's work.

Let me know if you have any questions!

Daniel


More information about the SATLUG mailing list