Convenient WordPress Web Directory Permissions?

Question

I'm setting up a webserver for WordPress.

WordPress requires it's stuff to be owned by www user or it has problems installing plugins and themes (asks for server FTP credentials, it's stupid, I know).

This wouldn't be a problem, but I want to give one ssh user an empty WWW directory so they could download/unpack/setup WordPress themselves (hands off method).

After they download and unpack WordPress archive, all files are owned by that particular user and they have issues managing plugins/themes installation or updates for already mentioned reasons.

What would be the most convenient and safe way of achieving the both goals, letting user to feel like at home and have fully working WordPress install?

Seems setfacl could be the decent solution, to make all new stuff under one directory inherit permissions I set.

Could anyone offer hint or suggestion on how to achieve what I'm trying to or even guide me in other direction?

I'm using Nginx with PHP-FPM.

Thanks!

Answer 1

Another option is you could create a script which changes the ownership on files they upload within a certain directory. You could set up the sudoers file so they can run only that script as root without a password being required.

This can be a security hole if done improperly, but if you do it right, it's no big deal. Some things to make sure of are

1. Nobody except root can write to the script or the directory that contains the script. I'd recommend having it live in /root and for good measure set the immutable attribute (chattr +i) on it.
2. Be sure it's very narrowly coded to make sure it will only do what you intend and can't be abused.
3. Ideally don't let anyone have read access to it to reduce the chance of a mistake made in #2 being discovered.

Answer 2

Add / Update the FS_METHOD constant to "direct" in your wp-config.php and you may be able to update without providing any FTP details.

define('FS_METHOD', 'direct');

FS_METHOD forces the filesystem method. It should only be "direct", "ssh2", "ftpext", or "ftpsockets". Generally, you should only change this if you are experiencing update problems. If you change it and it doesn't help, change it back/remove it. Under most circumstances, setting it to 'ftpsockets' will work if the automatically chosen method does not.

(Primary Preference) "direct" forces it to use Direct File I/O requests from within PHP, this is fraught with opening up security issues on poorly configured hosts, This is chosen automatically when appropriate.

(Secondary Preference) "ssh2" is to force the usage of the SSH PHP Extension if installed (3rd Preference) "ftpext" is to force the usage of the FTP PHP Extension for FTP Access, and finally.

(4th Preference) "ftpsockets" utilises the PHP Sockets Class for FTP Access.

Source: https://codex.wordpress.org/Editing_wp-config.php

Answer 3

I found solution. It's me being idiot.

I copied php-fpm pool config from other host and forgot to define user:user permissions so php process runs as that user.

Changing that and adding nginx user (www) to user group fixed the problem.