Permissions on my website?

idyllhands · 12-18-2008, 08:08 PM

Hello. I installed WordPress on my website and it wants me to enable write permission for the files. What is a safe level to set these to? I've heard that 777 is risky, but I don't really understand how all that works...Wouldn't any sort of permissions still mean that someone would need to have either my FTP or my Wordpress admin login info in order to do anything to my site?

Sorry if this is the inappropriate category to put this in, but security made sense to me.

Simon Bridge · 12-18-2008, 10:27 PM

Wordpress needs to be able to write to some files in order to update them and it needs to be able to create files as needed in your website directory.

For an explaination of permissions see:
http://www.zzee.com/solutions/unix-permissions.shtml
http://en.wikipedia.org/wiki/File_system_permissions

Or read the manual:

man chmod

idyllhands · 12-19-2008, 12:15 PM

What I am having trouble grasping is what user am I if I am just running the Wordpress admin php file? (Please keep in mind that I am new to *nix filesystems, but am experienced in Windows filesystems)
In case you don't know Wordpress, basically, you can create new blog posts by typing the address of the wp-admin directory, which I believe contains a php file that executes and then use the "Dashboard" that that php file brings up (the php file has a password on it to prevent others from running it without login info).
In reading through the link you sent, I see that webhosts assign users the group "nobody" which inherits permissions from "others."
currently, that group is assigned a value of 5 (read and execute) so if I gave them write permission, then could anyone just come along and write to my files? Or am I safe as long as my Wordpress admin password is safe (ie...others can execute my wp-admin.php file, but won't be able to make it write since they don't have the password)

Or are there other security issues to worry about with giving write permission?

Lastly, will giving write permissions for a directory to a user allow that user to create subdirectories? I know they can create files, but is a directory considered a file?

Simon Bridge · 12-19-2008, 07:13 PM

You are whatever user you are logged in as if you are running wordpress yourself.
Depending on your configuration, you may find that wordpress has it's own user, which it uses to access files like the database.

It strikes me that you need to learn more about how wordpress works.

If you have placed permissions 777 then any logged-in user can write to all your files.
A directory is also a file - everything is a file.

With wordpress - it is probably talking about permissions to access the MySQL database it uses.

See: http://www.linuxjournal.com/article/7624

Quote:

Once you have created the database, you need to grant permissions for the WordPress user on these tables; we do this by logging in to the database:

# /usr/local/mysql/bin/mysql -p -u root

Once you have logged in, you can grant permissions to the WordPress user, which I called wpuser, with:

GRANT ALL PRIVILEGES ON wordpress.*
TO wpuser@localhost IDENTIFIED BY 'wppass';
GRANT ALL PRIVILEGES ON wordpress.*
TO wpuser IDENTIFIED BY 'wppass';

robertwolfe · 12-21-2008, 12:00 PM

Quote:

Originally Posted by idyllhands

Hello. I installed WordPress on my website and it wants me to enable write permission for the files. What is a safe level to set these to? I've heard that 777 is risky, but I don't really understand how all that works...Wouldn't any sort of permissions still mean that someone would need to have either my FTP or my Wordpress admin login info in order to do anything to my site?

Sorry if this is the inappropriate category to put this in, but security made sense to me.

Be sure that the files are owned by the same user and group that apache is run as. On my Ubuntu Server, all of my Wordpress files are owned by www-data:www-data.