[wp-hackers] File management permission/owner best practices

Wilson Ricardo wrgallinari at gmail.com
Wed Jul 13 20:56:34 UTC 2011


I use some rules to enhance the security, using atributes and rewrite:

All directories beside for wp-content, have the imutable bit set.

# cd $DocumentRoot
# for d in `find . | grep -v sitemap.`;do chattr +i $d;done
# cd wp-content
# for d in `find . | egrep "blogs.dir|uploads"`; do chattr -i $d;done

And on apache, I exclude the execution of php in folders owned by apache:

RewriteRule wp-content/(uploads|blogs.dir)(.*)\.php
http://YOURHOME/[R=permanent,L,NC]

Resuming:

Where it can write, it cannot execute. :)

*You need to chattr R -i $DocumentRoot to make updates.
*The front-end mount the $DocumentRoot via NFS, and even using root, you
cant change the attribute fron front-end.

On Wed, Jul 13, 2011 at 3:00 PM, Philip Walton <philip at philipwalton.com>wrote:

>
>  In such a case, many shared servers use a method called "setuid" or
>> similar. Essentially, this is a modified way to run PHP such that,
>> when the webserver process calls the PHP executable, a script or other
>> code changes the user id of the running process to be the same as the
>> owner of the PHP script. So instead of PHP running as "www-data", it
>> runs my files as "otto". This has two effects: a) anybody hacking into
>> my website gets my credentials, but that protects other users of the
>> machine (since I won't have access outside my directories) and it
>> eliminates the need for sites to run with open permissions schemes
>> like 777 and such and b) if the process creates a file, it creates it
>> with my user id, thus allowing the direct upgrade method to work and
>> eliminating my need to input FTP credentials.
>>
>> The bottom line is that you shouldn't be changing file ownership in
>> order to use the direct upgrade method at all. That will always lead
>> to poorer security. If you're on a testing machine or just totally
>> unconcerned about security issues, you can pre-define the FTP
>> credentials by using defines in your wp-config.php file. Use FTP_HOST,
>> FTP_USER, and FTP_PASS. If you are using ftp over ssh, you can also
>> define FTP_SSH, FTP_PUBKEY and FTP_PRIKEY as needed. For ftp over ssl,
>> define FTP_SSL. You can find all these in wp-admin/includes/file.php.
>>
>> -Otto
>>
>
> Thanks Otto, that's very helpful. I'll look into the setuid process as it
> sounds exactly like what I'm wanting to do.
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>


More information about the wp-hackers mailing list