Apache2 permissions issue

apache-httpdpermissionsWordpress

I have changed my DocumentRoot to /home/user/www. To achieve that I have just changed the 2 occurrences of the path at /etc/apache2/sites-available/default.

The permissions of /home/user/www are 0774. I have added the www-data user to my user's group and the owner of /home/user/www is my own user and group (user:user).

I have done that by:

sudo chmod -R 0774 www
sudo chown -R user:user www
sudo adduser www-data user

The problem is that Apache can't write to this directory. It can write only if I set www-data as owner, but if I do that, I can't write at the directory.

I have tested the permissions with:

sudo -u www-data ls /home/user/www
sudo -u www-data cat /home/user/www/some-file

and it works.

But the WordPress I have at www can't delete or create files. Any ideas?

Best Answer

You would have been better off with the www directory at /var/www, with owner www-data and group www-data, and adding your user to the www-data group.

First, change the DocumentRoot etc back to /var/www in the apache config.

The /var/www directory (and all subdirectories in it) should be setgid, so that files and dirs are created with group www-data.

All of the following should be run as root, or with sudo:

mkdir -p /var/www

if there were any files in /home/user/www that you want to keep, move them to /var/www now with:

mv /home/user/www/* /var/www/

Now fix the permissions and ownership of the /var/www directory.

chown -R www-data:www-data /var/www
chmod -R 775 /var/www
find /var/www -type d -print0 | xargs -0r chmod g+s
adduser user www-data

The next time 'user' logins in (or runs newgrp www-data), they should have write permission in /var/www

BTW, if you want to make it easy for 'user' to find the web files, just make a symlink in their home directory:

 ln -s /var/www/ /home/user/

Related Solutions

CentOS – Resolving Write Permission Issues

The installation of Apache may appears to be running as root but in actuality it's running as the user apache. You can check this by looking in this file:

$ grep "^User" /etc/httpd/conf/httpd.conf
User apache

Your entire wordpress directory should likely be owned by this user if you're planning on managing the installation using wordpress through the web UI.

I usually create a separate directory for wordpress like this:

$ pwd
/var/www
$ ls -l | grep wordpress
drwxr-xr-x. 5 apache apache    4096 Apr 25 19:27 wordpress

Here's the contents of the wordpress directory just so you can see it:

-rw-r--r--. 1 apache apache      395 Jan  8  2012 index.php
-rw-r--r--. 1 apache apache  5009441 Jan 23 13:40 latest.tar.gz
-rw-r--r--. 1 apache apache    19929 May  6  2012 license.txt
-rw-r--r--. 1 apache apache     9177 Jan 25 11:25 readme.html
-rw-r--r--. 1 apache apache     4663 Nov 17  2012 wp-activate.php
drwxr-xr-x. 9 apache apache     4096 Dec 11  2012 wp-admin
-rw-r--r--. 1 apache apache      271 Jan  8  2012 wp-blog-header.php
-rw-r--r--. 1 apache apache     3522 Apr 10  2012 wp-comments-post.php
-rw-rw-rw-. 1 apache apache     3466 Jan 23 17:15 wp-config.php
-rw-r--r--. 1 apache apache     3177 Nov  1  2010 wp-config-sample.php
drwxr-xr-x. 7 apache apache     4096 Apr 24 20:15 wp-content
-rw-r--r--. 1 apache apache     2718 Sep 23  2012 wp-cron.php
drwxr-xr-x. 9 apache apache     4096 Dec 11  2012 wp-includes
-rw-r--r--. 1 apache apache     1997 Oct 23  2010 wp-links-opml.php
-rw-r--r--. 1 apache apache     2408 Oct 26  2012 wp-load.php
-rw-r--r--. 1 apache apache    29310 Nov 30  2012 wp-login.php
-rw-r--r--. 1 apache apache     7723 Sep 25  2012 wp-mail.php
-rw-r--r--. 1 apache apache     9899 Nov 22  2012 wp-settings.php
-rw-r--r--. 1 apache apache    18219 Sep 11  2012 wp-signup.php
-rw-r--r--. 1 apache apache     3700 Jan  8  2012 wp-trackback.php
-rw-r--r--. 1 apache apache     2719 Sep 11  2012 xmlrpc.php

I usually also manage any Apache configs related to wordpress in it's own wordpress.conf file under this directory,/etc/httpd/conf.d/`.

# wordpress.conf
Alias / "/var/www/wordpress/"
<Directory "/var/www/wordpress/">
Order Deny,Allow
Deny from all
#Allow from 127.0.0.1 192.168.1
Allow from all
AllowOverride all
</Directory>
#RewriteLog "/var/www/wordpress/rewrite.log"
#RewriteLogLevel 3

Debian – Is giving all permissions to www-data group a good idea

Apache runs as a non-privileged user known as www-data in Debian distros for quite a very good reason: security.

It is considered a good security practice when dealing with daemons giving up privilege rights, avoiding as much as possible to create configuration files or data files with the ownership of the non-privileged user that runs the daemon - as such, if the Apache user is compromised, the attackers will have a much more hard time to mess around things or deface a site.

As possible, I recommend to create sites with different users, and to give read rights to the www-data group only; and to have only write access to www-data in directories that really need them. However even this can be avoided using mod-ruid2.

mod-ruid2 allows actually to run each site/vhost with their owner, and dealing with the security model of pages is much easier. It takes out the necessity of creating world writable directories. It also guarantees that in case of a compromise of one vhost, the attacker is not able to plant malware in the other vhosts.

mod-ruid2 is also advised for people with a hosting model, and we use it here to run a few hundreds sites, with quite success.

Unfortunately, the documentation about mod-ruid2 is a bit scant, and I had to write a more elaborate post to describe it here in Unix and Linux.

Best Answer

Related Solutions

CentOS – Resolving Write Permission Issues

Debian – Is giving all permissions to www-data group a good idea

Related Question