i am currently trying to get wordpress running on Ubuntu Server 18.04 with apache. I managed to get everything to work, but for some reason i am not able to use ls -l properly anymore on the wordpress directories, in which i played around with permissions. The out-of-the-box permissions didn't allow me to update my themes from the wordpress webinterface.
I can't find a solution to this problem, because the permissions are clearly stating, that i have at least read permission.
Problem: ls -l shows question marks and sais permission denied.
Infos: permissions are rwx for owner www-data, rw for group www-data and r for other. Output of groups includes www-data, so the user should be in the www-data group.
Outputs:
$ ls -l /usr/share/wordpress/
ls: cannot access '/usr/share/wordpress/readme.html': Permission denied
...
ls: cannot access '/usr/share/wordpress/wp-comments-post.php': Permission denied
total 0
-????????? ? ? ? ? ? index.php
...
-????????? ? ? ? ? ? xmlrpc.php
$ groups
*censored user* adm cdrom sudo dip www-data plugdev lxd lpadmin
$ sudo ls -l /usr/share/wordpress/
total 172
-rwxrw-r-- 1 www-data www-data 418 Apr 6 2018 index.php
-rwxrw-r-- 1 www-data www-data 7440 Apr 8 2018 readme.html
-rwxrw-r-- 1 www-data www-data 5697 Apr 8 2018 wp-activate.php
drwxrw-r-- 9 www-data www-data 4096 Jul 20 00:53 wp-admin
...
-rwxrw-r-- 1 www-data www-data 3065 Apr 6 2018 xmlrpc.php
P.S.: Any extra tips for wordpress security are useful.
Thanks
edit forgot the permissions of the directory, still confusing.
$ sudo ls -l -a /usr/share/wordpress/
total 180
drwxrw-r-- 5 www-data www-data 4096 Jul 20 17:13 .
drwxr-xr-x 162 root root 4096 Jul 20 02:40 ..
...
set execute bit permissions for group you belong to.
Related
I have a question about the right approach for /var/www/somesite folder permissions.
The story is like this.
I have 5 developers, I put them all as members of devteam group
I have the website folder /var/www/mywebsite and I know that /var/www/mywebsite/info folder rquires apache to write into it. I'm using ACLs because I believe that's the best approach to control what I'm looking for.
So... I configured the whole thing like this:
The structure:
joel#server:$ ls -la /var | grep www
drwxrwxr--+ 3 www-data www-data 4096 Jul 11 01:12 www
joel#server:$
joel#server:$ ls -la /var/www
drwxrwxr--+ 3 www-data www-data 4096 Jul 11 01:12 .
drwxr-xr-x 15 root root 4096 Jul 11 14:37 ..
dr-xrwsr--+ 16 www-data www-data 4096 Jul 12 06:49 mywebsite
joel#server:$
You can see that setgid is set on mywebsite so that it'll make all executables to run with the privileges of the group
for /var/www
joel#server:~$ sudo getfacl -p /var/www
# file: /var/www
# owner: www-data
# group: www-data
user::rwx
user:www-data:r-x
group::r-x
group:www-data:rwx
group:devteam:rwx
mask::rwx
other::r--
for /var/www/mywebsite
joel#server:~$ sudo getfacl -p /var/www/mywebsite
# file: /var/www/mywebsite
# owner: www-data
# group: www-data
# flags: -s-
user::r-x
user:www-data:r-x
group::r-x
group:www-data:rwx
group:devteam:rwx
mask::rwx
other::r--
for /var/www/mywebsite/info
joel#server:~$ sudo getfacl -p /var/www/mywebsite/info
# file: /var/www/mywebsite/info
# owner: joel
# group: www-data
# flags: -s-
user::rwx
user:www-data:rwx
group::r-x
group:www-data:rwx
mask::rwx
other::r--
Now... everything seems to work, except that when one of the developers tries to use git on that folder, they get this error:
fatal: not a git repository (or any of the parent directories): .git
Since I did run git init --shared=group and I know for sure that the directory structure does have .git in it (see structure below), so... I was sure it's permissions.
Once I've added the users to be part of www-data group, they were able to run all the git commands they wanted. (it makes sense, since the files in the directory are with owner: joel group: www-data).
The structure looks like that:
joel#server:~$ ls -la /var/www/mywebsite/
total 107928
dr-xrwsr--+ 16 www-data www-data 4096 Jul 12 06:49 .
drwxrwxr--+ 3 www-data www-data 4096 Jul 11 01:12 ..
-rwxrwxr--+ 1 joel www-data 213 Jul 11 01:25 .editorconfig
-rw-rw-r--+ 1 joel www-data 2013 Jul 11 20:48 .env
drwxrwxr-x+ 8 joel www-data 4096 Jul 12 10:55 .git
-rwxrwxr--+ 1 joel www-data 111 Jul 11 01:25 .gitattributes
-rwxrwxr--+ 1 joel www-data 309 Jul 11 01:25 .gitignore
-rwxrwxr--+ 1 joel www-data 412 Jul 11 21:00 .htaccess
-rwxrwxr--+ 1 joel www-data 174 Jul 11 01:25 .styleci.yml
drwxrwsr--+ 12 joel www-data 4096 Jul 11 01:25 helper
-rwxrwxr--+ 1 joel www-data 1686 Jul 11 01:25 mainly
-rw-rw-r--+ 1 joel www-data 1304 Jul 11 01:25 pipelines.yml
drwxrwsr--+ 3 joel www-data 4096 Jul 11 01:25 info
-rwxrwxr--+ 1 joel www-data 707 Jul 11 01:25 story.php
-rwxrwxr--+ 1 joel www-data 2069 Jul 11 09:50 offset.json
The reason it's me as the owner of everything, is because I was the one who pulled it from the repository to begin with, but, it'll probably change since these developers will pull the stuff they need while logging in with their credentials, and, it'll change.
On to my questions:
Is this the right approach to the order and structure of the website?
I don't want my developers to be part of www-data group because, well, because that group is not for them! it's for apache to run the server. What can I do? How can I set it up currectly so that they'll be able to work git without being part of the www-data group? (I thought about chaning the ownership of the whole website to be owned by the devteam group, but, what will happened with apache2 service then?)
How come my /var/www/mywebsite/info doesn't have devteam permissions in it's ACL (do I really need to set it up for all subfolder if it's already setup for the parent?)
Why do I have mask::rwx as part oof my ACL configuration? I don't rememebr I set it up.
Am I doing the right thing with setting the setgid in that way that all my folders are will have the group privileges for executables?
I really appriciate your help on this subject.
The right approach (TM) is to not give anybody access to your server, but have them go through version control and a controlled deployment process - this way you'll have a chance to restore the server after some failure situation, an audit trail of what software was installed when etc.
As a minimum, either you or a script might pull a tagged version from a central git repo every now and then. This way it's only you or the script to ever write to Apache's directory. All developers collaborate through git, in a central repository. They send pull requests, and you'll have a trail of who did what when and why.
On the central repository, somebody merges pull requests, tags - and you're set.
Of course - you can go more fancy, but the situation that you describe sounds like a bad workaround for a problem that nobody should have (live write access to a server, for a dev team of >1 size)
Edit: this even holds on a development machine. If hate to make a change and debug why it doesn't work, only to find out that it's due to somebody else's change, after an hour of useless debugging
When I list files as a root user:
root#complect-shop:~# ls -lah /www/server/php/73/var/log/
total 5.8M
drw-r----- 2 root www 4.0K Oct 8 10:00 .
drwxr-xr-x 4 root root 4.0K Dec 16 2019 ..
-rw-r----- 1 root www 1.5M Jan 7 12:48 php-fpm.log
-rw-r----- 1 root www 4.3M Jan 6 07:12 slow.log
root#complect-shop:~#
php-fpm.log file has access read an write for root user and read for www group.
Here is the error for user web which is in www group:
╭╴web#complect-shop ~/complect-import-stock-wc
╰╴16:41:03 $ tail /www/server/php/73/var/log/php-fpm.log
tail: cannot open '/www/server/php/73/var/log/php-fpm.log' for reading: Permission denied
Here is a proof user is in the www group:
╭╴web#complect-shop ~/complect-import-stock-wc
╰╴16:45:05 $ groups web
web : web www-data www
The file php-fpm.log will need write access as it is a log file and so allocate wrirte access to the www group
sudo chmod g+w /www/server/php/73/var/log/php-fpm.log
The group www doesn't have execute permissions on /www/server/php/73/var folder, so, you cannot get in. Grant that permission this way:
$ sudo chmod g+x /www/server/php/73/var/log/
I have folder in /media on ubuntu - shared from windows via fstab and cifs-utils. Can I share this folder to other user: "miki" (not root)
root#localhost:/media#
drwxr-xrwx 4 root root 4096 Nov 15 12:21 .
drwxr-xr-x 23 root root 4096 Nov 14 06:34 ..
drwxr-xr-x 2 padm root 0 Nov 15 09:34 Archive
drwxr-xrwx 2 root root 4096 Feb 25 2019 kekik
I have try with:
root#localhost:~# sudo chmod -R 757 /media/Archive/
but get:
chmod: changing permissions of '/media/Archive/': Permission denied
Find a solution:
need to modify /etc/fstab by changing:
//windowsServer/Archive /media/Archive cifs username=wundowsuser,password=somepass,uid=1000,iocharset=iso8859-1,rw,file_mode=0777,dir_mode=0777,vers=1.0 0 0
and change group of folder (must umont it first!)
sudo umount -l /media/Archive
sudo chown miki:miki /media/Archive/
I'm not using SELinux, and still I can't get the apache user to create files in my cache storage directory. Can this work without using chown to change the user to the actual apache user?
[root#server live_storage]# getenforce
Disabled
[root#server live_storage]# su -s /bin/bash -c 'touch /home/admin/live_storage/c50d02d942c0a3d.cache' apache
touch: cannot touch ‘/home/admin/live_storage/c50d02d942c0a3d.cache’:
Permission denied
[root#server admin]# ls -lsa
total 84
4 drwx------. 10 admin admin 4096 24 mei 10:32 .
4 drwxr-xr-x. 3 root root 4096 9 mei 11:12 ..
4 drwxrwxrwx 3 admin admin 4096 24 mei 10:33 live_storage
[admin#server live_storage]$ touch '/home/admin/live_storage/c50d02d942c0a3d.cache'
[admin#server live_storage]$ ls '/home/admin/live_storage/c50d02d942c0a3d.cache'
/home/admin/live_storage/c50d02d942c0a3d.cache
Figured it out. Apache didn't have execute rights on the /home/admin directory. chmod +x /home/admin fixed the problem
Added "youri" to the www-data group
grep youri /etc/group
www-data:x:33:youri
youri:x:1004:
When i upload something with FTP, the file permission is -rw-------
ls -all
total 176
drwxr-xr-x 2 youri youri 4096 feb 25 12:38 .
dr-xr-xr-x 3 youri youri 4096 feb 25 12:08 ..
-rw-r--r-- 1 youri youri 17 feb 25 12:27 index.php
-rw------- 1 youri youri 164655 feb 25 12:24 test.pdf (uploaded with FTP)
The file index.php is created by nano and changed the permissions by sudo chown youri:youri index.php
When i access my website it shows me the index.php but /test.pdf gives me an "Permission denied" error
Your webserver has no permission to read the file.
Normally, an ftp server has a configuration value called "umask" which is a value defining what permissions NOT to grant (the binary inverse of the value you would give to chmod)
For a better security, most ftp servers like vsftp ship with a default umask of 055 or 077
As you can see, your index.php is not executable. Although it technically is just read, semantically the script is being executed by your webserver. And the webserver runs as the user www-data.
To have this work, change the following:
- Make youri's default group www-data: usermod -g www-data youri
- Change /etc/vsftpd.conf and set a umask of 022
- Restart vsftpd
- chmod 755 index.php (or delete it and upload it again)