0

I have an Ubuntu 16.04.1 with Apache 2.4.23, PHP 7.1 RC3, FastCGI, PHP-FPM with separate pools for every site, MariaDB, PhpMyAdmin, Webmin and Nginx as a reverse proxy because I have to install Varnish and all my sites are SSL. I've also installed WordPress. Everything is last version and is working fine.

Security wise, every site is working with a separate user owner through PHP-FPM pools, and everything is owned as user1:www-data, user2:www-data, etc. Every site is in /home/user/domains/site/public.

As I said, everything seems to be just fine, and the last thing I'm working on is good security in WordPress:

Everything has the setgid bit enabled.

  • wp-content and every sub-directory are 2730 and all files are 2640 so that user gets total control, www-data group can enter folders and others can't do anything.
  • wp-content/themes - plugins - upgrade and uploads are also 2730.
  • Every other directory and subdirectory is 2710, and files are 2640.
  • .htacces is 0660 and when I'm done with it, it will be 0640.

As said, everything works fine and I'm able to update, install/delete plugins and themes, etc.

BUT I'm having problems with wp-config.php. I can set it to 644 or even 404, but when I set it to 640 -or 400, which is what I would like-, I get the white screen of death.

I've checked that the file is owned by user:www-data.

Does anybody know why it needs the read bit for others?

Thanks in advance.

Halfgaar
  • 8,084
  • 6
  • 45
  • 86
Karls
  • 33
  • 1
  • 7

3 Answers3

1

Ok, here's the solution, it may be useful to someone else:

The problem was in the process of setting up chown's and chmod's. You'll find steps that are repeated. I'm not sure why it has to be in this exact order because the results appear to be the same as in my original order (I've double-checked with two different computers), but the correct procedure, step by step, seems to be the following:

You prepare the directories for the site, my scheme is this:
/home/user1/domains/site1/public
/home/user1/domains/site2/public etc...

  • Copy the WordPress files to the /public directory:
    sudo rsync -avP ~/wordpress/ /home/user1/domains/site1/public/
  • Give User and Group ownership:
    sudo chown -R user1:www-data /home/user1/domains/site1/public
  • Make the folders needed and also chown them as before:
    sudo mkdir wp-content/uploads sudo mkdir wp-content/upgrade sudo chown -R user1:www-data wp-content/uploads sudo chown -R user1:www-data wp-content/upgrade
  • Activate the setgid bit for our DocumentRoot so every new folder/file inherits the group:
    sudo find /home/user1/domains/site1/public -type d -exec chmod g+s {} \; sudo find /home/user1/domains/site1/public -type f -exec chmod g+s {} \;
  • Give Group write access for the WebServer to be able to set up Themes and Plugins during the WordPress installation process:
    sudo chmod -R g+w /home/user1/domains/site1/public/wp-content/themes<br/> sudo chmod -R g+w /home/user1/domains/site1/public/wp-content/plugins
  • Get the secret keys for wp-config.php and then edit the file to arrange database settings and whatever you want to tune:
    curl -s https://api.wordpress.org/secret-key/1.1/salt/
    sudo nano wp-config.php
  • Now it's time for the browser to go to http://www.site1 and perform the WordPress installation.
  • After installing WP, let's harden the security:
    sudo find /home/user1/domains/site1/public -type d -print0 | xargs -0 sudo chmod 710 sudo find /home/user1/domains/site1/public -type f -print0 | xargs -0 sudo chmod 640
  • Since we still need some folders to let WordPress (that would be www-data) to write on them, we need to repeat some steps:
    sudo chmod g+w /home/skirev/domains/skireviewer/public/wp-content sudo chmod -R g+w /home/user1/domains/site1/public/wp-content/themes sudo chmod -R g+w /home/user1/domains/site1/public/wp-content/plugins sudo chmod -R g+w /home/user1/domains/site1/public/wp-content/uploads sudo chmod -R g+w /home/user/domains/site1/public/wp-content/upgrade
    This will leave wp-content and its sub-folders set as 730.
  • NOW we can secure wp-config.php:
    sudo chmod 400 wp-config.php
  • And finally, our directories still are 2710 (except wp-content and sub-folders, which are 2730), but our files have lost the setgid bit. So we need to run again:
    sudo find /home/user1/domains/site1/public -type f -exec chmod g+s {} \;

Karls
  • 33
  • 1
  • 7
0

I would first try and verify the all the relevant PHP-FPM processes are running under the correct UID.

Boris Epstein
  • 75
  • 5
  • Thanks @BorisEpstein. Before installing WordPress, I made an info.php file with 'whoami' and phpinfo(). Every site works under the right user. I don't know if there is something else I can do about that. – Karls Oct 15 '16 at 14:50
0

You say the file is owned by www-data and it's 640? It should be owned by the user running PHP, not the webserver, because it's PHP that's trying to read it. Your error log file will probably show an 'access denied' coming from PHP.

BTW, I'm not completely sure I understood you permission model correctly, but you said you can install plugins and themes? That means it's writable to the user running it. I wouldn't do that. I would use wp-cli to manage it, and make it not writable to the user running PHP or the webserver.

Halfgaar
  • 8,084
  • 6
  • 45
  • 86
  • As I said above, the file -and everything else- is set as user:www-data. So the user owns it and the group is www-data. – Karls Oct 15 '16 at 15:04
  • Sorry, I thought you meant 'the user is', with `user:`. What does your error log show? – Halfgaar Oct 15 '16 at 15:07
  • Thanks @Halfgaar . Newbie here, so bear with me. Where should I be looking at, other than apache and nginx error logs? They don't seem to complain at all. – Karls Oct 15 '16 at 15:10
  • Does your Apache virtual host define an `ErrorLog /var/log/bla/bla`? Apache's and PHP's errors should show up there. – Halfgaar Oct 15 '16 at 15:13
  • My home/user/domains/site/logs/error.log says: FastCGI: server "/usr/lib/cgi-bin/php7-fcgi-site.com" stderr: PHP message: PHP Warning: Parameter 1 to wp_default_scripts() expected to be a reference, value given in /home/user/domains/site.com/public/wp-includes/plugin.php on line 600. Doesn't seem to be related. In one of my tests with WordPress running correctly, enabling debugging in wp-config.php showed the same error, so it shouldn't had nothing to do with my actual issue (I think). As for var/log/apache - nginx - etc, there seems to be no complain. – Karls Oct 15 '16 at 15:22
  • What if you become that user (`su - user --shell=/bin/bash`) and try to cd to the location and read `wp-config.php`? (BTW, Stack Exchange tip: you can edit your question with the log output. Comments are not for traditional forum style replies. – Halfgaar Oct 15 '16 at 15:24
  • Sorry for the log output, I can't seem to be able to change it. I'm able to log in a user1 (for example) and cd /home. But strangely, I can't 'cd /home/user1' , although 'user1/domains/site' are all set to 'user1:user1'. To be clear, '/user1/domains/site' are 'user:user', while '/public/...' are 'user1:www-data'. – Karls Oct 15 '16 at 15:37
  • Great, if I log in as user1 I can't enter /home/user1 , but I can enter /home/user2. – Karls Oct 15 '16 at 15:46
  • Delete my last comment, that was dumb. – Karls Oct 15 '16 at 15:47
  • I can read wp-config.php with no problem as user1. – Karls Oct 15 '16 at 15:49
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/46855/discussion-between-karls-and-halfgaar). – Karls Oct 15 '16 at 16:06