Let User Write and Read Files in Folder Apache2 With Chown

Topics

• Permission Modes
  • Instance Permission Modes
• Permission Scheme for WordPress
  • Shared Hosting with suexec
• Using an FTP Client
  • Unhide the hidden files
• Using the Command Line
  • About Chmod
• The dangers of 777
  • The Worst Outcome
  • Find a Workaround
• Finding Secure File Permissions
  • Example Permission Settings
    • .htaccess permissions
    • php.ini permissions
    • php.cgi permissions
    • php5.cgi permissions
  • SELinux
    • How to determine if selinux is the problem?
  • See As well

On calculator file systems, different files and directories havepermissions that specify who and what tin read, write, modify and access them. This is of import because WordPress may need access to write to files in yourwp-content directory to enable certain functions.

Permission Modes Permission Modes

                  7       5    5  user   grouping  world  r+w+x  r+x    r+x  iv+2+1  4+0+1  4+0+1 = 755                

The permission mode is computed by calculation up the following values for the user, the file group, and for everyone else. The diagram shows how.

• Read 4 – Allowed to read files
• Westwardrite 2 – Immune to write/modify files
• eXecute1 – Read/write/delete/modify/directory

                  seven       iv     4  user   group  world  r+westward+x    r      r  four+2+one  iv+0+0 4+0+0  = 744                

Acme ↑

Example Permission Modes Example Permission Modes

Mode	Str Perms	Explanation
0477	-r–rwxrwx	owner has read only (4), other and group has rwx (7)
0677	-rw-rwxrwx	possessor has rw just(6), other and grouping has rwx (vii)
0444	-r–r–r–	all have read only (4)
0666	-rw-rw-rw-	all have rw only (6)
0400	-r——–	owner has read only(4), group and others take no permission(0)
0600	-rw——-	possessor has rw but, group and others take no permission
0470	-r–rwx—	possessor has read only, group has rwx, others have no permission
0407	-r—–rwx	owner has read only, other has rwx, group has no permission
0670	-rw-rwx—	owner has rw only, group has rwx, others have no permission
0607	-rw—-rwx	owner has rw only, grouping has no permission and others take rwx

Peak ↑

Permission Scheme for WordPress Permission Scheme for WordPress

Permissions will be different from host to host, so this guide only details general principles. It cannot comprehend all cases. This guide applies to servers running a standard setup (note, for shared hosting using "suexec" methods, see below).

Typically, all files should be endemic by your user (ftp) account on your web server, and should be writable by that business relationship. On shared hosts, files should never be owned by the webserver process itself (sometimes this isworld wide web, orapache, ornobody user).

Any file that needs write access from WordPress should be owned or group-owned by the user account used by WordPress (which may exist different than the server business relationship). For example, y'all may take a user account that lets y'all FTP files back and forth to your server, only your server itself may run using a separate user, in a separate usergroup, such equallydhapache ornobody. If WordPress is running as the FTP account, that account needs to have write access, i.due east., be the possessor of the files, or belong to a grouping that has write access. In the latter case, that would hateful permissions are set more permissively than default (for instance, 775 rather than 755 for folders, and 664 instead of 644).

The file and folder permissions of WordPress should be the aforementioned for virtually users, depending on the type of installation you lot performed and the umask settings of your system environment at the time of install.

NOTE: If an experienced user installed WordPress for you, you lot likely do not need to change file permissions. Unless you lot are experiencing bug with permission errors, or youwant to, you lot probably should not mess with this.

NOTE: If you installed WordPress yourself, yous likely DO demand to modify file permissions. Some files and directories should exist "hardened" with stricter permissions, specifically, the wp-config.php file. This file is initially created with 644 permissions, and it's a hazard to leave it like that. See Security and Hardening.

Typically, all core WordPress files should be writable only by your user account (or the httpd account, if different). (Sometimes though, multiple ftp accounts are used to manage an install, and if all ftp users are known and trusted, i.east., not a shared host, so assigning group writable may be appropriate. Ask your server admin for more than info.) However, if y'all utilize mod_rewrite Permalinks or other .htaccess features you lot should make sure that WordPress can likewise write to your/.htaccess file.

If yous want to use the built-in theme editor, all files need to exist group writable. Attempt using it before modifying file permissions, it should work. (This may exist true if different users uploaded the WordPress bundle and the Plugin or Theme. This wouldn't be a problem for Plugin and Themes installed via the admin. When uploading files with different ftp users group writable is needed. On shared hosting, make sure the group is exclusive to users you lot trust… the apache user shouldn't be in the group and shouldn't own files.)

Some plugins crave the /wp-content/ folder be made writeable, but in such cases they volition allow yous know during installation. In some cases, this may require assigning 755 permissions. The same is true for/wp-content/enshroud/ and possibly/wp-content/uploads/ (if you're using MultiSite y'all may also demand to do this for/wp-content/blogs.dir/)

Additional directories under /wp-content/ should be documented by any plugin / theme requires them. Permissions volition vary.

/    |- index.php |- wp-admin |   `- wp-admin.css |- wp-blog-header.php |- wp-comments-post.php |- wp-commentsrss2.php |- wp-config.php |- wp-content |   |- enshroud |   |- plugins |   |- themes |   `- uploads |- wp-cron.php |- wp-includes `- xmlrpc.php                

Pinnacle ↑

Shared Hosting with suexec Shared Hosting with suexec

The above may not apply to shared hosting systems that use the "suexec" arroyo for running PHP binaries. This is a popular approach used by many web hosts. For these systems, the php process runs as the owner of the php files themselves, allowing for a simpler configuration and a more than secure environment for the specific example of shared hosting.

Notation: suexec methods should NEVER be used on a single-site server configuration, they are more than securemerely for the specific case of shared hosting.

In such an suexec configuration, the correct permissions scheme is simple to understand.

• All files should be owned by the actual user's account, not the user business relationship used for the httpd process.
• Group ownership is irrelevant, unless there's specific group requirements for the web-server procedure permissions checking. This is not usually the case.
• All directories should be 755 or 750.
• All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
• No directories should e'er be given 777, even upload directories. Since the php process is running equally the owner of the files, it gets the owners permissions and can write to even a 755 directory.

In this specific type setup, WordPress will observe that it can directly create files with the proper ownership, and and so it will not ask for FTP credentials when upgrading or installing plugins.

Popular methods used by sysadmins for this setup are:

• suPHP, runs through php-cgi, currently unmaintained since 2013.
• mod_ruid2, apache module, currently unmaintained since 2013.
• mpm-itk, apache module.
• mod_fcgid, an Apache module and FastCGI server with more extensive configuration.
• PHP-FPM, an culling FastCGI server with shared OPCode, for use with Apache and Nginx.

Summit ↑

Using an FTP Client Using an FTP Customer

FTP programs ("clients") permit you to prepare permissions for files and directories on your remote host. This office is often calledchmod orset up permissions in the program menu.

In WordPress install, two files that yous volition probably desire to change are the index page, and the css which controls the layout. Here's how y'all modify index.php –the process is the same for whatever file.

In the screenshot below, wait at the last column – that shows the permissions. It looks a bit disruptive, but for now just notation the sequence of letters.

Initial permissions

Right-click 'alphabetize.php' and select 'File Permissions'
A popup screen will announced.

Altering file permissions

Don't worry about the cheque boxes. Just delete the 'Numeric value:' and enter the number yous need – in this case it's 666. So click OK.

Permissions have been contradistinct.

You can now run across that the file permissions have been changed.

Peak ↑

Unhide the hidden files Unhide the hidden files

By default, well-nigh FTP Clients, including FileZilla, keep hidden files, those files start with a period (.), from being displayed. Only, at some bespeak, yous may demand to see your hidden files so that you can change the permissions on that file. For example, you may need to make your .htaccess file, the file that controls permalinks, writeable.

To brandish hidden files in FileZilla, in it is necessary to select 'View' from the tiptop menu, and then select 'Evidence subconscious files'. The screen brandish of files will refresh and any previously hidden file should come up into view.

To get FileZilla to always show hidden files – under Edit, Settings, Remote File List, check the Always show subconscious files box.

In the latest version of Filezilla, the 'Show subconscious files' option was moved to the 'Server' tab. Select 'Force show subconscious files.'

Top ↑

Using the Command Line Using the Control Line

If you have beat out/SSH access to your hosting business relationship, y'all can usechmod to change file permissions, which is the preferred method for experienced users. Earlier y'all starting time usingchmod information technology would exist recommended to read some tutorials to brand sure you understand what you lot can achieve with information technology. Setting incorrect permissions tin take your site offline, so delight take your fourth dimension.

• Unix Permissions

You can brandall the files in yourwp-content directory writable in two steps, but before making every single file and folder writable yous should outset try safer alternatives like modifying but the directory. Try each of these commands get-go and if they don't work then become recursive, which will brand fifty-fifty your themes image files writable. Supplant DIR with the folder you want to write in

chmod -5 746 DIR chmod -v 747 DIR chmod -v 756 DIR chmod -v 757 DIR chmod -5 764 DIR chmod -v 765 DIR chmod -5 766 DIR chmod -5 767 DIR                

If those fail to permit you to write, try them all again in social club, except this time replace -v with -R, which volition recursively modify each file located in the folder. If after that you lot even so cant write, you may now try 777.

Top ↑

Most Chmod Virtually Chmod

chmod is a unix command that means "changemode" on a file. The-R flag means to apply the change to every file and directory inside ofwp-content. 766 is the manner we are irresolute the directory to, it means that the directory is readable and writable by WordPress and any and all other users on your organisation. Finally, we have the proper name of the directory we are going to alter,wp-content. If 766 doesn't work, you can try 777, which makes all files and folders readable, writable, and executable by all users, groups, and processes.

If you use Permalinks you should as well change permissions of .htaccess to make sure that WordPress can update information technology when you lot change settings such as adding a new folio, redirect, category, etc.. which requires updating the .htaccess file when mod_rewrite Permalinks are being used.

1. Become to the main directory of WordPress
2. Enterchmod -v 666 .htaccess

Note: From a security standpoint, even a pocket-size amount of protection is preferable to a world-writeable directory. Start with low permissive settings like 744, working your way up until information technology works. Only use 777 if necessary, and hopefully merely for a temporary corporeality of time.

Top ↑

The dangers of 777 The dangers of 777

The crux of this permission result is how your server is configured. The username yous use to FTP or SSH into your server is near probable not the username used by the server application itself to serve pages.

                  vii      vii      vii  user   group  world  r+west+ten  r+west+x  r+w+ten  four+2+1  four+ii+1  iv+two+1  = 777                

Often the Apache server is 'endemic' by theworld wide web-data,dhapache ornobody user accounts. These accounts have a limited amount of access to files on the server, for a very good reason. By setting your personal files and folders endemic by your user account to be World-Writable, you are literally making them Globe Writable. Now the www-data, dhapache and nobody users that run your server, serving pages, executing php interpreters, etc. volition have total access to your user account files.

This provides an artery for someone to proceeds access to your files by hijacking basically any process on your server, this also includes whatsoever other users on your machine. So yous should call back carefully about modifying permissions on your automobile. I've never come beyond anything that needed more than 767, and so when y'all see 777 enquire why it's necessary.

Top ↑

The Worst Outcome The Worst Outcome

The worst that can happen as a result of using 777 permissions on a folder or fifty-fifty a file, is that if a malicious cracker or entity is able to upload a devious file or modify a current file to execute code, they volition accept consummate command over your weblog, including having your database data and password.

Height ↑

Find a Workaround Find a Workaround

It is usually pretty easy to have the enhanced features provided by the impressive WordPress plugins available, without having to put yourself at risk. Contact the Plugin author or your server back up and asking a workaround.

Meridian ↑

Finding Secure File Permissions Finding Secure File Permissions

The .htaccess file is one of the files that is accessed past the owner of the process running the server. Then if you set the permissions too low, then your server won't be able to access the file and volition cause an fault. Therein lies the method to find the about secure settings. Commencement besides restrictive and increase the permissions until information technology works.

Top ↑

Case Permission Settings Example Permission Settings

The following example has acustom compiled php-cgi binary and acustom php.ini file located in the cgi-bin directory for executing php scripts. To prevent the interpreter and php.ini file from existence accessed straight in a web browser they are protected with a .htaccess file.

Default Permissions (umask 022)

644 -rw-r--r--  /home/user/wp-config.php 644 -rw-r--r--  /home/user/cgi-bin/.htaccess 644 -rw-r--r--  /home/user/cgi-bin/php.ini 755 -rwxr-xr-x  /home/user/cgi-bin/php.cgi 755 -rwxr-xr-x  /home/user/cgi-bin/php5.cgi                

Secured Permissions

600 -rw-------  /home/user/wp-config.php 604 -rw----r--  /home/user/cgi-bin/.htaccess 600                  -rw-------  /abode/user/cgi-bin/php.ini vii11                  -rwx--x--x  /home/user/cgi-bin/php.cgi                  100                  ---x------  /home/user/cgi-bin/php5.cgi                

Top ↑

.htaccess permissions .htaccess permissions

644 > 604 – The bit assuasive the group owner of the .htaccess file read permission was removed. 644 is normally required and recommended for .htaccess files.

Top ↑

php.ini permissions php.ini permissions

644 > 600 – Previously all groups and all users with access to the server could access the php.ini, even by only requesting it from the site. The tricky affair is that because the php.ini file is simply used by the php.cgi, we only needed to make sure the php.cgi process had access. The php.cgi runs as the same user that owns both files, so that single user is now the but user able to access this file.

Top ↑

php.cgi permissions php.cgi permissions

755 > 711 This file is a compiled php-cgi binary used instead of mod_php or the default vanilla php provided past the hosting company. The default permissions for this file are 755.

Tiptop ↑

php5.cgi permissions php5.cgi permissions

755 > 100 – Because of the setup where the user business relationship is the owner of the process running the php cgi, no other user or group needs access, so we disable all access except execution access. This is interesting because it really works. You tin can try reading the file, writing to the file, etc. but the simply access you take to this file is to run php scripts. And as the owner of the file you can always modify the permission modes dorsum once again.

$ true cat: php5.cgi: Permission denied ./php5.cgi:  Welcome                

Elevation ↑

SELinux SELinux

Security Enhanced linux is a kernel security module that provides mechanisms by which processes can exist sandboxed into detail contexts. This is of particular use to limit the actions that web pages can perform on other parts of the operating arrangement. Actions that are denied by the security policy are often hard to distinguish from regular file permission errors.

selinux is typically installed on Redhat family distributions (e.thousand., CentOS, Fedora, Scientific, Amazon and others).

Top ↑

How to determine if selinux is the trouble? How to determine if selinux is the problem?

If you lot are on a debian based distribution, y'all are probably fine.

Run the following command (on rpm based systems);

# rpm -qa | grep selinux selinux-policy-targeted-three.13.1-166.el7_4.7.noarch selinux-policy-three.xiii.1-166.el7_4.7.noarch libselinux-2.v-11.el7.x86_64 libselinux-python-2.5-11.el7.x86_64 libselinux-utils-2.5-11.el7.x86_64                

and to check whether it is the cause of denials of permissions:

# getenforce Enforcing                

1 effect that selinux causes is blocking the wp-admin tools from writing out the `.htaccess` file that is required for url rewriting. There are several commands for inspecting this behaviour

# audit2allow -w -a type=AVC msg=audit(1517275570.388:55362): avc:  denied  { write } for  pid=11831 comm="httpd" path="/var/world wide web/example.org/.htaccess" dev="vda1" ino=67137959 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file         Was caused past:         The boolean httpd_unified was prepare incorrectly.         Description:         Permit httpd to unified          Allow access by executing:         # setsebool -P httpd_unified 1                

and

# ausearch -m avc -c httpd ---- time->Tue Jan 30 01:xxx:31 2018 blazon=PROCTITLE msg=audit(1517275831.762:55364): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=inspect(1517275831.762:55364): arch=c000003e syscall=21 success=no exit=-13 a0=55b9c795d268 a1=two a2=0 a3=1 items=0 ppid=11826 pid=11829 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) blazon=AVC msg=audit(1517275831.762:55364): avc:  denied  { write } for  pid=11829 comm="httpd" name="bioactivator.org" dev="vda1" ino=67137958 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir ----                

You can temporarily disable selinux to determine if it is the crusade of the problems;

# setenforce usage:  setenforce [ Enforcing | Permissive | i | 0 ]                

Top ↑

See Too Encounter Besides

• Back up Forum thread
• htaccess for subdirectories
• Override WordPress Default permissions

hartwayincer.blogspot.com

Source: https://wordpress.org/support/article/changing-file-permissions/

Share this post