[SATLUG] WordPress / Apache problem on Ubuntu

Josh Lavin satlug at jlavin.com
Thu Jan 20 09:12:51 CST 2011


On Wed, Jan 19, 2011 at 6:44 PM, Daniel J. Givens <daniel at rugmonster.org> wrote:
> On 1/19/2011 4:08 PM, Josh Lavin wrote:
>>
>> Most servers running PHP do so with some sort of set-user jail, so
>> that the PHP pages can be owned by their own user.
>
> Huh? Since when? I've been managing thousands of web servers (literally)
> running PHP and that scenario is hardly ever used.
>
>> You should look at
>> suPHP, or else have a separate instance of Apache/PHP for your user
>> and set the User/Group directives to that user (but let root own
>> Apache itself).
>
> If you're setting up a big shared environment, I could see this. However,
> running multiple Apache instances would require a separate IP for each site.
> If there's no need for SSL, then that is just wasting precious resources. If
> you were really wanting to do user separation, you could use php-cgi under
> FastCGI, each one running as the respective user, or use something like
> httpd-itk.

I use php-cgi and FastCGI myself, but other hosts I have seen use
suPHP. These are shared environments.

> Either way, I don't want to give my web server any unnecessary write access
> because one missed update could turn your box into a spambot, phishing site,
> or any other thing. And no, you don't need root privileges to do that.
>
>> You will find that any other scenario will prevent the WordPress
>> automatic update function.
>
> Incorrect. The wordpress auto update uses FTP. That user only needs write
> access. Not the user the web server is running as. See my previous reply on
> what is generally accepted as the best practice for most use-cases, at least
> among my peers.

The update page in the WP admin will fallback to asking for FTP
credentials -- but note is does not support sFTP. With something like
suPHP, WordPress can download the update file, unzip, and install --
all the user has to do is click a button to get it started.

Even if you do the manual FTP update from this page (or update from
the shell), any files you upload via the WordPress admin will wind up
owned by Apache. And you have to make the upload directory
world-writeable to do this.

In my experience, trying to run PHP and get all the functionality of
WordPress involves some compromise between world-writeable directories
or suPHP or FastCGI. I guess it comes down to whichever one you trust
the most.


More information about the SATLUG mailing list