2

I am trying to manage file permissions on a debian webserver that runs nginx, so that wordpress can edit, upload and upgrade without having to use ftp. I also want to be able to login using sftp with my user account.

I am aware of the fact that this question has been asked before, see here or here, but following the steps in those answers hasn't been satisfying. The setup currently looks as follows:

  • The wordpress folder is in /var/www/html/

  • I made a new user ("user") and group ("group"). The server user is "www-data".

  • All files in the wordpress folder are owned by user:group.

  • Both "user" and "www-data" are set to belong to "group".

  • I changed file and folder permissions as follows:

    find /var/www/html/ -type d -exec chmod 2775 {} +

find /var/www/html/ -type f -exec chmod 664 {} +

  • I set the default umask to 0002.

I would have thought this should work, but currently I can edit and upload files from within wordpress, but not update wordpress, functions or themes.

  • It also does not work with "group" set as default group for "user" and/or "www-data" (by editing /etc/passwd).

Alternatively, I made all files in /var/www/html/ owned by user:www-data, but also without success.

The only way I seem to get wordpress to update without ftp is by making the wordpress-folder and all its files owned by "www-data". Unfortunately, the result of that is that I cannot upload files using an sftp-client (because the target is now a folder that is not owned by "user").

How can this be? As far as I understand these steps should give wordpress the proper permissions, but something still is wrong.

Your help would be greatly appreciated.

Community
  • 1
  • 1
knirb
  • 143
  • 7
  • Yes! Figured it out. You need to specify the group that is used by the server in (in my case) /etc/php5/fpm/pool.d/www.conf. I commented out the specified group so that it uses the default group. Than restart the service. I will provide the details later, when I'm happy with final setup. – knirb Sep 17 '14 at 14:40

2 Answers2

1

On a debian server I followed these steps. It might not be the most secure solution as I read here, but it works (wordpress can edit, upload and upgrade - and I can upload using sftp).

  • Create a new user "user"

  • Create a new group "group" (you can choose to use www-data as group as well)

  • Add user and www-data to group

    usermod -G group user
usermod -G group www-data

  • Check group numerical id in /etc/group e.g. group:x:1002

  • Change default group of www-data and user in /etc/passwd e.g. user:x:1001:1002:...

  • In /etc/php5/fpm/pool.d/www.conf (in my case) change group=www-data to ;group=www-data. Now nginx will use the default group of www-data which we just set to "group". Reload service (php5-fpm).

  • Recursively change owner of your wordpress folder to user:group

    chown -R user:group /var/www/html

  • Change permissions in your wordpress folder (The 2 is to assign new files to the parent folder's group)

    find /var/www/html/ -type d -exec chmod 2775 {} +
find /var/www/html/ -type f -exec chmod 664 {} +

  • Change umask to UMASK 0002 in /etc/login.defs

  • In wordpress, enforce direct upload (so no ftp) by adding define('FS_METHOD','direct'); to wp-config.php. In my case, this was an essential step.

  • To get things working, I needed to reboot.

knirb
  • 143
  • 7
1

I ran into this issue and I figured that I would share how I fixed it on Ubuntu running PHP 7 in case it can help someone. I adapted the following after reading this article that outlines how it is done with PHP 5.

Nginx needs to be optimized with PHP pools in order to give ownership of files and folders to users.

First, you need to create a new PHP-FPM memory pool. Do this by copying the default memory pool and renaming it with the user that you want to associate it with:

sudo cp /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/username.conf

Edit the file:

sudo nano /etc/php/7.0/fpm/pool.d/username.conf

Go through the file and change username in the following locations:

; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[username]


; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = username


listen = /run/php/php7.0-fpm.username.sock

Now you need to update your server block(s). You will need to adjust to the correct sockets to allow access to the newly created pool.

Open your server configuration file:

sudo nano /etc/nginx/sites-available/default

Or if you setup server blocks (virtual hosts), then:

sudo nano /etc/nginx/sites-available/example.com

Edit the following line and replace username:

fastcgi_pass unix:/run/php/php7.0-fpm.username.sock;

Finally, restart Nginx:

sudo service nginx restart
Marc
  • 4,661
  • 3
  • 40
  • 62