Divi WordPress Theme
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress fix Reply To: Crazy Permissions

Discussion in 'Misc WordPress Requests' started by Samuel Wood (Otto), Mar 6, 2018.

  1. Samuel Wood (Otto)


    Reply To: Crazy Permissions, by Samuel Wood (Otto)

    I’m unfamiliar with Amazon services in particular, but I’m familiar with shared hosting using Apache setups. Presumably each user has their own home folder, and the public_html for each user is in there, and they can access that. Thus, each user has their own WordPress installation, single site, more or less.

    For security, here’s how I’d do it.

    First, you don’t want the WordPress files to be owned by Apache/www. This is actually antithetical to security for a multi-user system. See, if WordPress is owned by the shared apache user account, then that means it has access, potentially write access, to all the WordPress files on all accounts. So I could write a PHP script, have WordPress run it on my site, and modify all the other sites on the same server.

    What you need is to change the way you run PHP from Apache. This is commonplace on shared hosting configurations, and it’s called “setuser” or “suexec” or “su-php” or various different variations involving “su”.

    How to do it depends on your existing setup, but what it does is to change the way Apache loads the PHP process.

    Normally Apache runs as “apache/www” and so when it launches the PHP process, PHP runs as “apache/www” as well. What you want it to do is to actually run the PHP process as “username” instead. That way, the PHP process only has access to that user’s files, and not any other user on the system.

    But you have multiple users. So, how does it know which user to run as? Simple: It uses a PHP which checks the file it is running to start with, and sets its own permissions, its own process owner, to whoever owns that file. Thus, the WordPress files are owned by “username” and then suPHP runs and sets it to be owned by “username” as well, and continues as that user for the rest of the process life.

    So when I look at a site on aaa.com, then it runs as the aaa user. When I look at a site on bbb.com, it runs as the bbb user. And the bbb user can’t access aaa’s files.

    Also, in such a configuration, no FTP prompt happens. It’s owned by aaa, it’s running as aaa, so it can do what it likes with the files and directories and such.

    You will need to examine your Apache configuration to determine how PHP is running. Whether it be mod_php or FastCGI or other, there is an alternate configuration and probably package to let you run suPHP instead. This is the real answer to your problems for shared hosting while maintaining cross-user security.

    Reply To: Crazy Permissions

Share This Page

Monarch Social Sharing Plugin