LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-18-2008, 08:08 PM   #1
idyllhands
LQ Newbie
 
Registered: Sep 2008
Posts: 11

Rep: Reputation: 0
Question Permissions on my website?


Hello. I installed WordPress on my website and it wants me to enable write permission for the files. What is a safe level to set these to? I've heard that 777 is risky, but I don't really understand how all that works...Wouldn't any sort of permissions still mean that someone would need to have either my FTP or my Wordpress admin login info in order to do anything to my site?

Sorry if this is the inappropriate category to put this in, but security made sense to me.
 
Old 12-18-2008, 10:27 PM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Wordpress needs to be able to write to some files in order to update them and it needs to be able to create files as needed in your website directory.

For an explaination of permissions see:
http://www.zzee.com/solutions/unix-permissions.shtml
http://en.wikipedia.org/wiki/File_system_permissions

Or read the manual:

man chmod
 
Old 12-19-2008, 12:15 PM   #3
idyllhands
LQ Newbie
 
Registered: Sep 2008
Posts: 11

Original Poster
Rep: Reputation: 0
What I am having trouble grasping is what user am I if I am just running the Wordpress admin php file? (Please keep in mind that I am new to *nix filesystems, but am experienced in Windows filesystems)
In case you don't know Wordpress, basically, you can create new blog posts by typing the address of the wp-admin directory, which I believe contains a php file that executes and then use the "Dashboard" that that php file brings up (the php file has a password on it to prevent others from running it without login info).
In reading through the link you sent, I see that webhosts assign users the group "nobody" which inherits permissions from "others."
currently, that group is assigned a value of 5 (read and execute) so if I gave them write permission, then could anyone just come along and write to my files? Or am I safe as long as my Wordpress admin password is safe (ie...others can execute my wp-admin.php file, but won't be able to make it write since they don't have the password)

Or are there other security issues to worry about with giving write permission?

Lastly, will giving write permissions for a directory to a user allow that user to create subdirectories? I know they can create files, but is a directory considered a file?

Last edited by idyllhands; 12-19-2008 at 12:25 PM.
 
Old 12-19-2008, 07:13 PM   #4
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
You are whatever user you are logged in as if you are running wordpress yourself.
Depending on your configuration, you may find that wordpress has it's own user, which it uses to access files like the database.

It strikes me that you need to learn more about how wordpress works.

If you have placed permissions 777 then any logged-in user can write to all your files.
A directory is also a file - everything is a file.

With wordpress - it is probably talking about permissions to access the MySQL database it uses.

See: http://www.linuxjournal.com/article/7624
Quote:
Once you have created the database, you need to grant permissions for the WordPress user on these tables; we do this by logging in to the database:

# /usr/local/mysql/bin/mysql -p -u root

Once you have logged in, you can grant permissions to the WordPress user, which I called wpuser, with:

GRANT ALL PRIVILEGES ON wordpress.*
TO wpuser@localhost IDENTIFIED BY 'wppass';
GRANT ALL PRIVILEGES ON wordpress.*
TO wpuser IDENTIFIED BY 'wppass';
 
Old 12-21-2008, 12:00 PM   #5
robertwolfe
Member
 
Registered: Apr 2005
Location: Grand Island, NY
Distribution: Ubuntu and Debian
Posts: 57

Rep: Reputation: 16
Quote:
Originally Posted by idyllhands View Post
Hello. I installed WordPress on my website and it wants me to enable write permission for the files. What is a safe level to set these to? I've heard that 777 is risky, but I don't really understand how all that works...Wouldn't any sort of permissions still mean that someone would need to have either my FTP or my Wordpress admin login info in order to do anything to my site?

Sorry if this is the inappropriate category to put this in, but security made sense to me.
Be sure that the files are owned by the same user and group that apache is run as. On my Ubuntu Server, all of my Wordpress files are owned by www-data:www-data.
 
  


Reply

Tags
permissions, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
viewing an externally hosted website from within a given website andrews-mark Linux - Server 6 10-07-2008 12:11 AM
file permissions OK, but command permissions? stabu Linux - General 2 10-05-2005 12:00 PM
File Permissions/ Can't save or delete website files friendlyflier Linux - Security 4 08-07-2005 06:32 AM
serving website from inside chroot "Permissions" jeffpoulsen Linux - Security 1 07-01-2004 01:55 PM


All times are GMT -5. The time now is 04:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration