Skip to content Skip to sidebar Skip to footer
Home / Allow Read From Only One User Linux

Allow Read From Only One User Linux

Post a Comment

Topics

  • Permission Modes
    • Example Permission Modes
  • Permission Scheme for WordPress
    • Shared Hosting with suexec
  • Using an FTP Client
    • Unhide the subconscious files
  • Using the Command Line
    • Most Chmod
  • The dangers of 777
    • The Worst Outcome
    • Discover a Workaround
  • Finding Secure File Permissions
    • Example Permission Settings
      • .htaccess permissions
      • php.ini permissions
      • php.cgi permissions
      • php5.cgi permissions
    • SELinux
      • How to determine if selinux is the trouble?
    • See As well

On calculator file systems, dissimilar files and directories takepermissions that specify who and what can read, write, alter and access them. This is important considering WordPress may need access to write to files in yourwp-content directory to enable sure functions.

Permission Modes Permission Modes 

                  7       v    5  user   grouping  world  r+w+ten  r+10    r+10  4+2+one  4+0+i  iv+0+1 = 755

The permission mode is computed by adding up the post-obit values for the user, the file group, and for everyone else. The diagram shows how.

  • Read 4 – Immune to read files
  • Write 2 – Allowed to write/change files
  • eTenecute1 – Read/write/delete/modify/directory
                  7       4     iv  user   group  globe  r+due west+x    r      r  four+two+1  4+0+0 iv+0+0  = 744

Top ↑

Instance Permission Modes Example Permission Modes

Way Str Perms Explanation
0477 -r–rwxrwx owner has read only (4), other and group has rwx (7)
0677 -rw-rwxrwx owner has rw only(6), other and group has rwx (7)
0444 -r–r–r– all have read only (4)
0666 -rw-rw-rw- all take rw merely (6)
0400 -r——– owner has read only(4), grouping and others accept no permission(0)
0600 -rw——- owner has rw only, group and others have no permission
0470 -r–rwx— owner has read merely, group has rwx, others have no permission
0407 -r—–rwx owner has read only, other has rwx, group has no permission
0670 -rw-rwx— owner has rw only, group has rwx, others have no permission
0607 -rw—-rwx owner has rw only, group has no permission and others have rwx

Top ↑

Permission Scheme for WordPress Permission Scheme for WordPress

Permissions volition be unlike from host to host, so this guide just details full general principles. It cannot cover all cases. This guide applies to servers running a standard setup (note, for shared hosting using "suexec" methods, see below).

Typically, all files should be owned by your user (ftp) account on your web server, and should exist writable by that business relationship. On shared hosts, files should never be owned by the webserver process itself (sometimes this iswww, orapache, ornobody user).

Any file that needs write access from WordPress should be endemic or group-endemic by the user account used past WordPress (which may be different than the server account). For example, yous may have a user account that lets you FTP files back and forth to your server, merely your server itself may run using a separate user, in a dissever usergroup, such asdhapache ornobody. If WordPress is running as the FTP account, that account needs to have write access, i.e., be the owner of the files, or vest to a group that has write access. In the latter example, that would mean permissions are set more than permissively than default (for example, 775 rather than 755 for folders, and 664 instead of 644).

The file and folder permissions of WordPress should exist the aforementioned for near users, depending on the type of installation y'all performed and the umask settings of your system environs at the time of install.

Annotation: If an experienced user installed WordPress for you, you likely do not need to modify file permissions. Unless you are experiencing problems with permission errors, or youwant to, you probably should not mess with this.

Annotation: If you installed WordPress yourself, you likely DO need to modify file permissions. Some files and directories should exist "hardened" with stricter permissions, specifically, the wp-config.php file. This file is initially created with 644 permissions, and it's a gamble to leave information technology like that. Meet Security and Hardening.

Typically, all cadre WordPress files should exist writable only by your user account (or the httpd account, if different). (Sometimes though, multiple ftp accounts are used to manage an install, and if all ftp users are known and trusted, i.east., not a shared host, then assigning group writable may be appropriate. Ask your server admin for more info.) However, if you utilize mod_rewrite Permalinks or other .htaccess features y'all should make sure that WordPress can also write to your/.htaccess file.

If you want to utilize the built-in theme editor, all files need to be grouping writable. Try using it earlier modifying file permissions, it should work. (This may be true if unlike users uploaded the WordPress package and the Plugin or Theme. This wouldn't be a problem for Plugin and Themes installed via the admin. When uploading files with different ftp users grouping writable is needed. On shared hosting, make sure the group is exclusive to users you trust… the apache user shouldn't be in the grouping and shouldn't ain files.)

Some plugins require the /wp-content/ folder be fabricated writeable, but in such cases they will let you know during installation. In some cases, this may crave assigning 755 permissions. The same is truthful for/wp-content/cache/ and perhaps/wp-content/uploads/ (if you're using MultiSite you may as well need to do this for/wp-content/blogs.dir/)

Additional directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions will vary.

/    |- alphabetize.php |- wp-admin |   `- wp-admin.css |- wp-weblog-header.php |- wp-comments-post.php |- wp-commentsrss2.php |- wp-config.php |- wp-content |   |- cache |   |- plugins |   |- themes |   `- uploads |- wp-cron.php |- wp-includes `- xmlrpc.php

Top ↑

Shared Hosting with suexec Shared Hosting with suexec

The above may not apply to shared hosting systems that apply the "suexec" approach for running PHP binaries. This is a pop approach used by many web hosts. For these systems, the php procedure runs as the owner of the php files themselves, allowing for a simpler configuration and a more than secure environment for the specific example of shared hosting.

Note: suexec methods should NEVER exist used on a single-site server configuration, they are more than secureonly for the specific case of shared hosting.

In such an suexec configuration, the right permissions scheme is unproblematic to understand.

  • All files should be endemic by the actual user'south account, not the user account used for the httpd procedure.
  • Grouping ownership is irrelevant, unless there'south specific group requirements for the web-server process permissions checking. This is not usually the case.
  • All directories should be 755 or 750.
  • All files should be 644 or 640. Exception: wp-config.php should exist 440 or 400 to preclude other users on the server from reading information technology.
  • No directories should always be given 777, even upload directories. Since the php process is running equally the owner of the files, information technology gets the owners permissions and can write to even a 755 directory.

In this specific blazon setup, WordPress will detect that information technology can straight create files with the proper buying, and then it will not ask for FTP credentials when upgrading or installing plugins.

Pop methods used past sysadmins for this setup are:

  • suPHP, runs through php-cgi, currently unmaintained since 2013.
  • mod_ruid2, apache module, currently unmaintained since 2013.
  • mpm-itk, apache module.
  • mod_fcgid, an Apache module and FastCGI server with more than all-encompassing configuration.
  • PHP-FPM, an culling FastCGI server with shared OPCode, for use with Apache and Nginx.

Top ↑

Using an FTP Client Using an FTP Client

FTP programs ("clients") let you to ready permissions for files and directories on your remote host. This function is often calledchmod orset permissions in the program menu.

In WordPress install, ii files that yous will probably want to modify are the index page, and the css which controls the layout. Here'southward how you change index.php –the process is the same for any file.

In the screenshot below, wait at the final cavalcade – that shows the permissions. It looks a flake disruptive, only for now just note the sequence of letters.

Initial permissions

Correct-click 'index.php' and select 'File Permissions'
A popup screen volition appear.

Altering file permissions

Don't worry almost the cheque boxes. Just delete the 'Numeric value:' and enter the number you need – in this case it's 666. Then click OK.

Permissions accept been contradistinct.

You can at present see that the file permissions have been changed.

Elevation ↑

Unhide the hidden files Unhide the hidden files

By default, most FTP Clients, including FileZilla, continue hidden files, those files beginning with a menstruum (.), from being displayed. But, at some point, you may need to see your hidden files then that y'all can change the permissions on that file. For case, you may demand to make your .htaccess file, the file that controls permalinks, writeable.

To display hidden files in FileZilla, in it is necessary to select 'View' from the elevation menu, and so select 'Show hidden files'. The screen display of files will refresh and whatsoever previously subconscious file should come into view.

To go FileZilla to always show subconscious files – under Edit, Settings, Remote File List, check the Always show hidden files box.

In the latest version of Filezilla, the 'Bear witness subconscious files' choice was moved to the 'Server' tab. Select 'Forcefulness show subconscious files.'

Top ↑

Using the Command Line Using the Command Line

If you take crush/SSH access to your hosting account, you tin can utilisechmod to change file permissions, which is the preferred method for experienced users. Earlier you lot start usingchmod it would be recommended to read some tutorials to make sure you sympathize what yous tin accomplish with it. Setting incorrect permissions can take your site offline, so please take your time.

  • Unix Permissions

You can makeall the files in yourwp-content directory writable in two steps, but before making every single file and folder writable you should offset try safer alternatives like modifying simply the directory. Try each of these commands showtime and if they don't piece of work then become recursive, which will make fifty-fifty your themes prototype files writable. Supplant DIR with the folder yous desire to write in

chmod -v 746 DIR chmod -v 747 DIR chmod -v 756 DIR chmod -v 757 DIR chmod -v 764 DIR chmod -five 765 DIR chmod -v 766 DIR chmod -five 767 DIR

If those neglect to allow yous to write, effort them all again in gild, except this time replace -v with -R, which volition recursively change each file located in the folder. If after that you still cant write, you may at present try 777.

Top ↑

Nigh Chmod About Chmod

chmod is a unix command that means "changemoderne" on a file. The-R flag means to employ the change to every file and directory within ofwp-content. 766 is the manner we are irresolute the directory to, information technology means that the directory is readable and writable by WordPress and any and all other users on your organisation. Finally, we have the name of the directory we are going to modify,wp-content. If 766 doesn't work, you lot can try 777, which makes all files and folders readable, writable, and executable by all users, groups, and processes.

If you employ Permalinks yous should besides change permissions of .htaccess to make sure that WordPress tin can update it when you change settings such as adding a new page, redirect, category, etc.. which requires updating the .htaccess file when mod_rewrite Permalinks are being used.

  1. Go to the main directory of WordPress
  2. Enterchmod -five 666 .htaccess

Annotation: From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Start with low permissive settings similar 744, working your way up until information technology works. Only use 777 if necessary, and hopefully only for a temporary amount of time.

Meridian ↑

The dangers of 777 The dangers of 777

The crux of this permission issue is how your server is configured. The username you use to FTP or SSH into your server is most likely not the username used by the server awarding itself to serve pages.

                  7      7      7  user   group  earth  r+due west+ten  r+w+10  r+w+x  four+2+i  four+2+1  4+2+1  = 777

Often the Apache server is 'endemic' by thewww-data,dhapache ornobody user accounts. These accounts have a limited amount of access to files on the server, for a very good reason. By setting your personal files and folders endemic by your user account to be World-Writable, you are literally making them Globe Writable. Now the www-information, dhapache and nobody users that run your server, serving pages, executing php interpreters, etc. volition have full access to your user account files.

This provides an avenue for someone to gain access to your files past hijacking basically any process on your server, this also includes any other users on your motorcar. And then you should think advisedly about modifying permissions on your auto. I've never come across anything that needed more than 767, so when yous see 777 ask why it's necessary.

Superlative ↑

The Worst Outcome The Worst Outcome

The worst that tin happen equally a upshot of using 777 permissions on a folder or even a file, is that if a malicious cracker or entity is able to upload a devious file or modify a current file to execute code, they will take complete control over your blog, including having your database information and password.

Height ↑

Find a Workaround Discover a Workaround

It is usually pretty easy to have the enhanced features provided by the impressive WordPress plugins bachelor, without having to put yourself at take a chance. Contact the Plugin author or your server support and request a workaround.

Peak ↑

Finding Secure File Permissions Finding Secure File Permissions

The .htaccess file is one of the files that is accessed by the possessor of the process running the server. Then if you set the permissions too depression, then your server won't be able to access the file and volition cause an mistake. Therein lies the method to find the about secure settings. Outset too restrictive and increase the permissions until it works.

Top ↑

Example Permission Settings Example Permission Settings

The following case has acustom compiled php-cgi binary and acustom php.ini file located in the cgi-bin directory for executing php scripts. To forestall the interpreter and php.ini file from beingness accessed directly in a web browser they are protected with a .htaccess file.

Default Permissions (umask 022)

644 -rw-r--r--  /abode/user/wp-config.php 644 -rw-r--r--  /dwelling house/user/cgi-bin/.htaccess 644 -rw-r--r--  /domicile/user/cgi-bin/php.ini 755 -rwxr-xr-ten  /domicile/user/cgi-bin/php.cgi 755 -rwxr-xr-x  /abode/user/cgi-bin/php5.cgi

Secured Permissions

600 -rw-------  /home/user/wp-config.php 60four -rw----r--  /home/user/cgi-bin/.htaccess vi00                  -rw-------  /abode/user/cgi-bin/php.ini 711                  -rwx--x--x  /home/user/cgi-bin/php.cgi                  100                  ---x------  /dwelling/user/cgi-bin/php5.cgi

Top ↑

.htaccess permissions .htaccess permissions

644 > 604 – The bit allowing the group possessor of the .htaccess file read permission was removed. 644 is normally required and recommended for .htaccess files.

Top ↑

php.ini permissions php.ini permissions

644 > 600 – Previously all groups and all users with access to the server could access the php.ini, fifty-fifty by but requesting it from the site. The tricky affair is that considering the php.ini file is just used by the php.cgi, we only needed to make certain the php.cgi process had access. The php.cgi runs as the aforementioned user that owns both files, and so that single user is now the simply user able to admission this file.

Tiptop ↑

php.cgi permissions php.cgi permissions

755 > 711 This file is a compiled php-cgi binary used instead of mod_php or the default vanilla php provided by the hosting company. The default permissions for this file are 755.

Summit ↑

php5.cgi permissions php5.cgi permissions

755 > 100 – Because of the setup where the user account is the owner of the process running the php cgi, no other user or group needs access, so we disable all access except execution access. This is interesting because it really works. Y'all can endeavour reading the file, writing to the file, etc. but the just access you take to this file is to run php scripts. And as the possessor of the file you can e'er change the permission modes back again.

$ cat: php5.cgi: Permission denied ./php5.cgi:  Welcome

Top ↑

SELinux SELinux

Security Enhanced linux is a kernel security module that provides mechanisms past which processes can be sandboxed into particular contexts. This is of detail utilise to limit the actions that web pages tin can perform on other parts of the operating system. Deportment that are denied by the security policy are ofttimes hard to distinguish from regular file permission errors.

selinux is typically installed on Redhat family distributions (eastward.g., CentOS, Fedora, Scientific, Amazon and others).

Acme ↑

How to determine if selinux is the problem? How to determine if selinux is the trouble?

If you are on a debian based distribution, yous are probably fine.

Run the following command (on rpm based systems);

# rpm -qa | grep selinux selinux-policy-targeted-3.xiii.1-166.el7_4.seven.noarch selinux-policy-3.thirteen.one-166.el7_4.7.noarch libselinux-two.5-11.el7.x86_64 libselinux-python-2.5-11.el7.x86_64 libselinux-utils-ii.5-11.el7.x86_64

and to cheque whether it is the cause of denials of permissions:

# getenforce Enforcing

One issue that selinux causes is blocking the wp-admin tools from writing out the `.htaccess` file that is required for url rewriting. In that location are several commands for inspecting this behaviour

# audit2allow -westward -a blazon=AVC msg=audit(1517275570.388:55362): avc:  denied  { write } for  pid=11831 comm="httpd" path="/var/www/example.org/.htaccess" dev="vda1" ino=67137959 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file         Was caused by:         The boolean httpd_unified was set up incorrectly.         Clarification:         Allow httpd to unified          Allow admission by executing:         # setsebool -P httpd_unified 1

and

# ausearch -m avc -c httpd ---- fourth dimension->Tue Jan 30 01:30:31 2018 blazon=PROCTITLE msg=inspect(1517275831.762:55364): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=audit(1517275831.762:55364): arch=c000003e syscall=21 success=no go out=-13 a0=55b9c795d268 a1=2 a2=0 a3=1 items=0 ppid=11826 pid=11829 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 fundamental=(null) type=AVC msg=audit(1517275831.762:55364): avc:  denied  { write } for  pid=11829 comm="httpd" proper noun="bioactivator.org" dev="vda1" ino=67137958 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir ----


You can temporarily disable selinux to determine if it is the crusade of the problems;

# setenforce usage:  setenforce [ Enforcing | Permissive | i | 0 ]

Superlative ↑

See As well Come across Also

  • Support Forum thread
  • htaccess for subdirectories
  • Override WordPress Default permissions

savellstol1940.blogspot.com

Source: https://wordpress.org/support/article/changing-file-permissions/

Post a Comment for "Allow Read From Only One User Linux"