[wp-hackers] How to install a new theme?

Otto otto at ottodestruct.com
Mon Feb 24 19:34:10 UTC 2014

On Mon, Feb 24, 2014 at 1:12 PM, Nikola Nikolov <nikolov.tmw at gmail.com>wrote:

> The problem with WordPress asking for FTP credentials is that the
> permissions for wp-content do not allow it to write files and directories.

It's more complex than just permissions.

Consider the most common case:
- User has username of "bob".
- Webserver runs as "www-data".

This means that the WordPress PHP files are owned by "bob", but the
webserver executes as the "www-data" user. Now, whether or not the
webserver has permissions to write to those files and/or directories is
really irrelevant. Any files that the webserver creates are going to be
created as being owned by the "www-data" user, not by "bob".

In a shared hosting environment, where there might also be "alice" and
"carl" running web software of their own, this is a security issue. If
Bob's files are owned by "www-data", then Alice can write code herself, run
it through the webserver (as "www-data") and thus access Bob's files
inappropriately. Bob doesn't like that one bit.

So, WordPress protects against this scenario. When it tries to write files,
it makes certain that the act of writing a file is not just possible due to
permissions, but also that the resulting file will be owned by "bob", and
not by "www-data". It does this by the simple method of writing a test
file, and comparing the ownership of the file to the pre-existing WordPress
PHP files already on the system (specifically, against the
/wp-admin/includes/file.php file, where the get_filesystem_method()
function is).

If the file owners don't match, then it decides not to use the "direct"
writing approach, and switches to one of the other methods instead, like
FTP or SSH. In these methods, it can use the credentials given to make a
connection back to the machine (loopback, basically) and authenticate in
the process. Any files it writes through this connection will get the
ownership of the new credentials ("bob").

The point is to make sure that the files end up being owned by "bob",
because that's the secure choice. On a multiuser environment, ownership
matters more than permissions.

If you want to eliminate that FTP prompt and use the "direct" method in a
multi-user environment, install "suphp" instead of the normal PHP, or use
one of the many methods to run your PHP process using "suexec" permissions.
Google for "fastcgi suexec" for examples of how to do this in your
environment. In this sort of setup, the PHP process switches itself to be
running as "bob". This is secure because "alice" can't write a program on
her environment as "bob", so her processes run as "alice" and still cannot
access Bob's files.


More information about the wp-hackers mailing list