[SATLUG] WordPress / Apache problem on Ubuntu

Eric Haugen erichaugen at gmail.com
Tue Jan 18 18:29:14 CST 2011


On Tue, Jan 18, 2011 at 5:43 PM, Daniel J. Givens <daniel at rugmonster.org> wrote:
> On 1/18/2011 12:33 PM, Eric Haugen wrote:
>>
>> I think we are having a permissions issue on one of our test
>> webservers.  In order for WordPress to function correctly Apache needs
>> to have recursive ownership of /var/www/ (or whatever directory for a
>> virtual host).  It seems to be working fine except for when our
>> outside developer needs to get in and make adjustments to the theme.
>> At that time he claims he is "locked out".  After the phone call I
>> then have to go in and recursively change the permissions to his
>> username for the duration of his session.
>>
>> Is there a way I can modify the permissions so our developer can get
>> in when they need to, while at the same time have our person who is
>> transferring content from the old site be able to make changes through
>> the WordPress interface?
>
> On every web server I personally have, I setup two groups:
>
> web-write
> httpd-write
>
> Every user that's going to need to write to files, they go in both groups.
> The user Apache (or nginx in my case) runs as goes into httpd-write.
>
> Next, I change the umask for Apache by adding the following line to it's
> init script toward the top before anything else (at least on RHEL/CentOS
> boxes):
>
> umask 002
>
> It will be important to use the init script to restart the service rather
> than using apachectl.
>
> I also make sure the normal users have the same umask set via /etc/bashrc.
> On my CentOS box, this is the default for non-root users.
>
> If the dev is uploading files via FTP, you'll need to take the appropriate
> steps for the service to use that umask as well. For SFTP, it's a little
> more convoluted, but I can help with that if that's what he's using.
>
> Okay... permissions!
>
> Do NOT give Apache full write access to the whole site. I can't tell you how
> many site and server compromises I've seen come out of doing that. What you
> want to do is give Apache access to write only to the directories it needs
> to. Since it uses FTP for managing a lot of things server side, it really
> comes down to a couple of directories. For my WP site, these are the
> directories with web server write access:
>
> /wp-content/themes
> /wp-content/uploads
> /wp-content/cache
>
> And because I have a plugin that automatically generates a sitemap, those
> are writable by the web server as well:
>
> /sitemap.xml
> /sitemap.xml.gz
>
> So, with the right paths identified, you need to set the ownership and
> permissions properly. These are as easy as I can make it.
>
> - Set the group ownership
>
> chgrp -R web-write /path/to/htdocs/
> chgrp -R httpd-write /path/to/htdocs/themes /path/to/htdocs/uploads
> /path/to/htdocs/cache
>
> - Make directories writable by group and setgid, so new files and
> directories retain the parent directory's group owner
>
> find /path/to/htdocs/ -type d -exec chmod 2775 {} \;
>
> - Make the existing files group writable
>
> find /path/to/htdocs/ -type f -exec chmod 665 {} \;
>
> That will give you a good least-privilege, basic set of permissions. No
> crazy sudo access. Provided you have the correct umask setup, it should just
> work. It all hinges on the umask (default permissions) by which the files
> and directories are created.
>
> You will need to test things and see if there are other directories that
> Apache needs write access to and adjust appropriately. But with it being as
> simple as changing the group owner, it should be easy to straighten out and
> not interrupt your dev's work.
>
> Let me know if you have any questions!
>
> Daniel
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>

Wow Daniel, Thanks!!


More information about the SATLUG mailing list