[wp-hackers] How to install a new theme?

Mon Feb 24 20:28:03 UTC 2014

On Mon, 24 Feb 2014 13:34:10 -0600
Otto <otto at ottodestruct.com> wrote:

> On Mon, Feb 24, 2014 at 1:12 PM, Nikola Nikolov
> <nikolov.tmw at gmail.com>wrote:
> 
> > The problem with WordPress asking for FTP credentials is that the
> > permissions for wp-content do not allow it to write files and
> > directories.
> >
> 
> 
> It's more complex than just permissions.
> 
> Consider the most common case:
> - User has username of "bob".
> - Webserver runs as "www-data".
> 
> This means that the WordPress PHP files are owned by "bob", but the
> webserver executes as the "www-data" user. Now, whether or not the
> webserver has permissions to write to those files and/or directories
> is really irrelevant. Any files that the webserver creates are going
> to be created as being owned by the "www-data" user, not by "bob".
> 
> In a shared hosting environment, where there might also be "alice" and
> "carl" running web software of their own, this is a security issue. If
> Bob's files are owned by "www-data", then Alice can write code
> herself, run it through the webserver (as "www-data") and thus access
> Bob's files inappropriately. Bob doesn't like that one bit.
> 
> So, WordPress protects against this scenario. When it tries to write
> files, it makes certain that the act of writing a file is not just
> possible due to permissions, but also that the resulting file will be
> owned by "bob", and not by "www-data". It does this by the simple
> method of writing a test file, and comparing the ownership of the
> file to the pre-existing WordPress PHP files already on the system
> (specifically, against the /wp-admin/includes/file.php file, where
> the get_filesystem_method() function is).
> 
> If the file owners don't match, then it decides not to use the
> "direct" writing approach, and switches to one of the other methods
> instead, like FTP or SSH. In these methods, it can use the
> credentials given to make a connection back to the machine (loopback,
> basically) and authenticate in the process. Any files it writes
> through this connection will get the ownership of the new credentials
> ("bob").
> 
> The point is to make sure that the files end up being owned by "bob",
> because that's the secure choice. On a multiuser environment,
> ownership matters more than permissions.
> 
> If you want to eliminate that FTP prompt and use the "direct" method
> in a multi-user environment, install "suphp" instead of the normal
> PHP, or use one of the many methods to run your PHP process using
> "suexec" permissions. Google for "fastcgi suexec" for examples of how
> to do this in your environment. In this sort of setup, the PHP
> process switches itself to be running as "bob". This is secure
> because "alice" can't write a program on her environment as "bob", so
> her processes run as "alice" and still cannot access Bob's files.
> 
> -Otto

Thanks Otto,

As a diagnostic test,
within /usr/share/wordpress/wp-admin/includes/file.php, I modified the
get_filesystem_method() function by putting $method = 'direct'; after
the code that tested the temp file's owner against the return value of
getmyuid(), and indeed, it no longer asked me for my ftp creds, and
indeed started installing something (I was trying to install k2).
However, Wordpress then aborted with "Could not create
directory. /var/lib/wordpress/wp-content/upgrade". So I created the
upgrade dir and it got a little farther, chowned it www-data.www-data
and it got farther but griped that couldn't write
to /var/lib/wordpress/wp-content/themes/k2, so I chowned themes
www-data.www-data, and it succeeded installing, but the preview was the
dreaded blank preview.

So, all this proves that what you said is true. To get it to work (in a
diagnostic mode), I probably need to fix a few other things. And then
figure out the real solution :-)

I'm curious why the Ubuntu 13.10 packager installed Wordpress has
everything owned and grouped by root, with write permissions only for
root. Is their package defective?

This stuff is exactly why I chose to learn all of this on my own
personal machine before making a blog on my web host. Thanks for this
detailed info, Otto.

SteveT

Steve Litt                *  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance