CentOS – Resolving Write Permission Issues

apache-httpdcentospermissionsWordpress

I am running CentOS 6.4 and I have installed WordPress on it. (along with LAMP)

Now the problem is, that I cannot make any write changes to any files in the wordpress editor: eg. header.php, style.css etc. WordPress says the following where the 'update' button is suppose to be: You need to make this file writable before you can save your changes.

Notes:

Now Apache is running as the root user (default)
Here are the
permissions on the themes folder where all the above mentioned files
lie:

drwxrwxr-x. 5 root bluegig 4096 Jul 7 17:32 themes

drwxrwxr-x. 3 root apache 4096 Jul 7 23:15 uploads

I ran the chmod 775 command on both 'themes' and 'uploads', Now doing a chmod 777 gets me write permissions, but I don't believe that is very safe… Is there any other/better way of doing it?

(bluegig is the name of my domain, don't know why that is there…)

What I can do:

I can read and execute in WordPress
I can upload files into the uploads folder from within wordpress

I cannot:

Make any changes to files within wordpress (via the editor)
How do I enable write permissions so that I can modify files in
wordpress?

Note, I did not log into an ftp account from within WP.

Best Answer

The installation of Apache may appears to be running as root but in actuality it's running as the user apache. You can check this by looking in this file:

$ grep "^User" /etc/httpd/conf/httpd.conf
User apache

Your entire wordpress directory should likely be owned by this user if you're planning on managing the installation using wordpress through the web UI.

I usually create a separate directory for wordpress like this:

$ pwd
/var/www
$ ls -l | grep wordpress
drwxr-xr-x. 5 apache apache    4096 Apr 25 19:27 wordpress

Here's the contents of the wordpress directory just so you can see it:

-rw-r--r--. 1 apache apache      395 Jan  8  2012 index.php
-rw-r--r--. 1 apache apache  5009441 Jan 23 13:40 latest.tar.gz
-rw-r--r--. 1 apache apache    19929 May  6  2012 license.txt
-rw-r--r--. 1 apache apache     9177 Jan 25 11:25 readme.html
-rw-r--r--. 1 apache apache     4663 Nov 17  2012 wp-activate.php
drwxr-xr-x. 9 apache apache     4096 Dec 11  2012 wp-admin
-rw-r--r--. 1 apache apache      271 Jan  8  2012 wp-blog-header.php
-rw-r--r--. 1 apache apache     3522 Apr 10  2012 wp-comments-post.php
-rw-rw-rw-. 1 apache apache     3466 Jan 23 17:15 wp-config.php
-rw-r--r--. 1 apache apache     3177 Nov  1  2010 wp-config-sample.php
drwxr-xr-x. 7 apache apache     4096 Apr 24 20:15 wp-content
-rw-r--r--. 1 apache apache     2718 Sep 23  2012 wp-cron.php
drwxr-xr-x. 9 apache apache     4096 Dec 11  2012 wp-includes
-rw-r--r--. 1 apache apache     1997 Oct 23  2010 wp-links-opml.php
-rw-r--r--. 1 apache apache     2408 Oct 26  2012 wp-load.php
-rw-r--r--. 1 apache apache    29310 Nov 30  2012 wp-login.php
-rw-r--r--. 1 apache apache     7723 Sep 25  2012 wp-mail.php
-rw-r--r--. 1 apache apache     9899 Nov 22  2012 wp-settings.php
-rw-r--r--. 1 apache apache    18219 Sep 11  2012 wp-signup.php
-rw-r--r--. 1 apache apache     3700 Jan  8  2012 wp-trackback.php
-rw-r--r--. 1 apache apache     2719 Sep 11  2012 xmlrpc.php

I usually also manage any Apache configs related to wordpress in it's own wordpress.conf file under this directory,/etc/httpd/conf.d/`.

# wordpress.conf
Alias / "/var/www/wordpress/"
<Directory "/var/www/wordpress/">
Order Deny,Allow
Deny from all
#Allow from 127.0.0.1 192.168.1
Allow from all
AllowOverride all
</Directory>
#RewriteLog "/var/www/wordpress/rewrite.log"
#RewriteLogLevel 3

Related Solutions

Apache2 permissions issue

You would have been better off with the www directory at /var/www, with owner www-data and group www-data, and adding your user to the www-data group.

First, change the DocumentRoot etc back to /var/www in the apache config.

The /var/www directory (and all subdirectories in it) should be setgid, so that files and dirs are created with group www-data.

All of the following should be run as root, or with sudo:

mkdir -p /var/www

if there were any files in /home/user/www that you want to keep, move them to /var/www now with:

mv /home/user/www/* /var/www/

Now fix the permissions and ownership of the /var/www directory.

chown -R www-data:www-data /var/www
chmod -R 775 /var/www
find /var/www -type d -print0 | xargs -0r chmod g+s
adduser user www-data

The next time 'user' logins in (or runs newgrp www-data), they should have write permission in /var/www

BTW, if you want to make it easy for 'user' to find the web files, just make a symlink in their home directory:

 ln -s /var/www/ /home/user/

WordPress Permissions – Apache Ownership and Permissions for WordPress

Noel, www-data user is the user, from whose behalf Apache runs your WordPress code (and any other code, generating Web pages for your users, e.g. Django code - python web-site engine).

www-data user is created to have minimal permissions possible, because it can possibly execute malicious code and take as much control over your system, as it is allowed to take. Suppose, that WordPress engine contains a vulnerability. Say, it allows the user to convert an image file from .jpg to .gif format by running convert from Imagemagick. The vulnerability is that it doesn't check that the filename contains the filename and only filename.

If a malevolent cracker supplies "image.png; ldd image.png", and WordPress executes convert image.png; ldd image.png in the shell without filtering out "; ldd image.png" part (this part was added to filename by the cracker in order to be exectued in the shell), your apache will run ldd image.png in addition to converting image. If image.png is in fact an executable file, named image.png, which the cracker supplied to you (if you allow other people to publish on your site, using WordPress engine), ldd image.png can result in arbitrary code execution, using 'ldd' vulnerability as described here: http://www.catonmat.net/blog/ldd-arbitrary-code-execution/.

Obviously, if that code is run as root user, it can infect all programs in your system and take total control of it. Then you're screwed (your virtual hosting can start sending spam, trying to infect everyone with viruses, eat up all your hosting budget etc.).

Thus, WordPress should be run with minimal privileges possible, in order to minimize damage from a potential vulnerability. Thus, any file, that www-data can write to, should be treated as possibly compromised.

Why don't you run WordPress as your foo user? Suppose, you've got a per-user installation of programs (e.g. in /home/foo/bin), and run WordPress as foo user. Then vulnerability in WordPress can infect those programs. If you later run one of those programs with sudo, you're screwed - it will take total control over the system. If you store any password or private key and foo user can read it, then cracker, who hacked your WordPress will be able to read it, too.

As for the overall mechanism of Apache functioning, here is a summary:

enter image description here

1) On your VPS computer there's a single Apache2 process, that runs as a root. It has to run as the root, cause it needs root privileges to ask Linux kernel to create a socket on TCP port 80.

Socket (see Berkley Sockets) is an Operating Systems Programming abstraction, used by modern Operating Systems (OS) kernels to represent network connections to applications. WordPress developers can think of a socket as of a file. When 2 programs, client and server, on 2 different computers speak to each other over the network, using TCP/IP protocol, OS kernels handle the TCP/IP details by themselves and the programs just think, that they have a file-like object - socket. When Client program (e.g. Mozilla) writes something to its socket, kernel of the client computer's OS delivers that data to the kernel of server computer's OS, using TCP/IP protocol. Then Server program (Apache2 on behalf of WordPress) can read those data from its socket.

How does client find the server and how server distinguishes between clients? Both server and client are identified by a pair (IP address, TCP port number). There are well-known ports for well-known protocols, such as 80 for http, 443 for https, 22 for ssh etc. Well-known ports are used by server computers to expect connections on them. IMPORTANTLY, only root user can create sockets on well-known ports. That's why the first instance of Apache2 is run as root.

When a server (Apache2) program wants to start listening to a port, it creates a so-called passive socket on port 80 with several system calls (socket(), bind(), listen() and accept()). System call is a request from a program to its OS kernel. To read about system calls, use e.g. man 2 socket (here 2 means the section 2 of man pages - system calls, see man man for section numbers). Passive socket can't really transfer data. The only thing it does is establish the connection with client - Mozilla's tab.

2) Client (Mozilla tab) wants to establish a TCP/IP connection to your server. It creates a socket on NON-WELL KNOWN port 14369, which doesn't need root privileges. Then it exchanges with 3 messages with Apache through the passive socket on your server computer's 80th port.This process (establishing the TCP/IP connection with 3 messages) is called 3-way handshake, see:

enter image description here

3) When TCP/IP connection is successfully established, Apache2 (run as root) invokes accept() system call and Linux kernel creates an active socket on server's 80th port, corresponding to connection with Mozilla's tab. Through this active socket will your WordPress application talk to the client.

4) Apache2 (run as root) forks another instance of Apache2 to run the WordPress code with lower privileges. That instance will run your WordPress code as a www-data user.

5) Mozilla and Apache2, running WordPress code as www-data user start exchanging http data over the established connection, writing and reading to their respective sockets via send()/recv() system calls.

Basically, WordPress is just a program, whose output is an html-page, so Apache2, running as a www-data just runs that program and writes its output (html-page) to the active socket and Mozilla on the client side receives that page and shows it.

Best Answer

Related Solutions

Apache2 permissions issue

WordPress Permissions – Apache Ownership and Permissions for WordPress

Related Question