You would have been better off with the www directory at /var/www, with owner www-data and group www-data, and adding your user to the www-data group.
First, change the DocumentRoot etc back to /var/www in the apache config.
The /var/www directory (and all subdirectories in it) should be setgid, so that files and dirs are created with group www-data.
All of the following should be run as root, or with sudo:
mkdir -p /var/www
if there were any files in /home/user/www that you want to keep, move them to /var/www now with:
mv /home/user/www/* /var/www/
Now fix the permissions and ownership of the /var/www directory.
chown -R www-data:www-data /var/www
chmod -R 775 /var/www
find /var/www -type d -print0 | xargs -0r chmod g+s
adduser user www-data
The next time 'user' logins in (or runs newgrp www-data
), they should have write permission in /var/www
BTW, if you want to make it easy for 'user' to find the web files, just make a symlink in their home directory:
ln -s /var/www/ /home/user/
Noel, www-data
user is the user, from whose behalf Apache runs your WordPress code (and any other code, generating Web pages for your users, e.g. Django code - python web-site engine).
www-data
user is created to have minimal permissions possible, because it can possibly execute malicious code and take as much control over your system, as it is allowed to take. Suppose, that WordPress engine contains a vulnerability. Say, it allows the user to convert an image file from .jpg
to .gif
format by running convert
from Imagemagick. The vulnerability is that it doesn't check that the filename contains the filename and only filename.
If a malevolent cracker supplies "image.png; ldd image.png", and WordPress executes convert image.png; ldd image.png
in the shell without filtering out "; ldd image.png"
part (this part was added to filename by the cracker in order to be exectued in the shell), your apache will run ldd image.png
in addition to converting image. If image.png
is in fact an executable file, named image.png, which the cracker supplied to you (if you allow other people to publish on your site, using WordPress engine), ldd image.png
can result in arbitrary code execution, using 'ldd' vulnerability as described here: http://www.catonmat.net/blog/ldd-arbitrary-code-execution/.
Obviously, if that code is run as root user, it can infect all programs in your system and take total control of it. Then you're screwed (your virtual hosting can start sending spam, trying to infect everyone with viruses, eat up all your hosting budget etc.).
Thus, WordPress should be run with minimal privileges possible, in order to minimize damage from a potential vulnerability. Thus, any file, that www-data
can write to, should be treated as possibly compromised.
Why don't you run WordPress as your foo
user? Suppose, you've got a per-user installation of programs (e.g. in /home/foo/bin
), and run WordPress as foo
user. Then vulnerability in WordPress can infect those programs. If you later run one of those programs with sudo
, you're screwed - it will take total control over the system. If you store any password or private key and foo
user can read it, then cracker, who hacked your WordPress will be able to read it, too.
As for the overall mechanism of Apache functioning, here is a summary:
1) On your VPS computer there's a single Apache2 process, that runs as a root. It has to run as the root, cause it needs root privileges to ask Linux kernel to create a socket on TCP port 80.
Socket (see Berkley Sockets) is an Operating Systems Programming abstraction, used by modern Operating Systems (OS) kernels to represent network connections to applications. WordPress developers can think of a socket as of a file. When 2 programs, client and server, on 2 different computers speak to each other over the network, using TCP/IP protocol, OS kernels handle the TCP/IP details by themselves and the programs just think, that they have a file-like object - socket. When Client program (e.g. Mozilla) writes something to its socket, kernel of the client computer's OS delivers that data to the kernel of server computer's OS, using TCP/IP protocol. Then Server program (Apache2 on behalf of WordPress) can read those data from its socket.
How does client find the server and how server distinguishes between clients? Both server and client are identified by a pair (IP address, TCP port number). There are well-known ports for well-known protocols, such as 80 for http, 443 for https, 22 for ssh etc. Well-known ports are used by server computers to expect connections on them. IMPORTANTLY, only root user can create sockets on well-known ports. That's why the first instance of Apache2 is run as root.
When a server (Apache2) program wants to start listening to a port, it creates a so-called passive
socket on port 80 with several system calls
(socket(), bind(), listen() and accept()). System call is a request from a program to its OS kernel. To read about system calls, use e.g. man 2 socket
(here 2
means the section 2 of man pages - system calls, see man man
for section numbers). Passive
socket can't really transfer data. The only thing it does is establish the connection with client - Mozilla's tab.
2) Client (Mozilla tab) wants to establish a TCP/IP connection to your server. It creates a socket on NON-WELL KNOWN port 14369, which doesn't need root privileges. Then it exchanges with 3 messages with Apache through the passive socket on your server computer's 80th port.This process (establishing the TCP/IP connection with 3 messages) is called 3-way handshake, see:
3) When TCP/IP connection is successfully established, Apache2 (run as root) invokes accept()
system call and Linux kernel creates an active
socket on server's 80th port, corresponding to connection with Mozilla's tab. Through this active socket will your WordPress application talk to the client.
4) Apache2 (run as root) forks another instance of Apache2 to run the WordPress code with lower privileges. That instance will run your WordPress code as a www-data
user.
5) Mozilla and Apache2, running WordPress code as www-data
user start exchanging http data over the established connection, writing and reading to their respective sockets via send()/recv()
system calls.
Basically, WordPress is just a program, whose output is an html-page, so Apache2, running as a www-data
just runs that program and writes its output (html-page) to the active socket and Mozilla on the client side receives that page and shows it.
Best Answer
The installation of Apache may appears to be running as root but in actuality it's running as the user
apache
. You can check this by looking in this file:Your entire wordpress directory should likely be owned by this user if you're planning on managing the installation using wordpress through the web UI.
I usually create a separate directory for wordpress like this:
Here's the contents of the wordpress directory just so you can see it:
I usually also manage any Apache configs related to wordpress in it's own
wordpress.conf file under this directory,
/etc/httpd/conf.d/`.