Server owner permissions for multisite

  • ProductAnatomy

    (@productanatomy)


    14 years ago

    Hi all,

    I’ve recently started setting up a new wpms install in a new dedicated server. The system is installed on a linux debian 5 setup and running on apache.

    Having only ever run shared hosting before this setup is a much bigger leap than expected, but after a couple of weeks doing bits here and there I’ve finally got the multisite setup running, with domain mapping and all appears to running ok.

    My issue is as follows:
    On the server the default owner of all the installed folders is “root”
    In order to allow media uploads, plugin installs and upgrades and wp auto-upgrades I’ve had to Chown the owner of the entire wordpress directory to the server as follows:
    Chown -R www-data:www-data /usr/share/wordpress/

    Can anyone tell me if this is actually secure? (clearly if the server is compromised the folder would be writeable!) If not would I be better changing the owner back to root (or even creating a new user for the wordpress folder?), then either Chown the wp-content folder or chown the uploads, theme, and blogs.dir folders? (plus any others if there are more) and then only chown the entire wordpress install when upgrading or installing new plugins, themes, etc.?

    Just a bit lost when it comes to the ownership of these folders as changing these ownerships is the only way i can get the system functioning ‘correctly’ so any help would be greatly appreciated!

    Thanks in advance,
    Rob

Viewing 5 replies - 1 through 5 (of 5 total)
  • kenrik

    (@kenrik)

    “I think” you’re safer with only www owning it because the root account has a lot more permissions. If they gain access to your web folder you can always just change the password, fix the hole and restore a backup. If they can access to your root account well.. All kinds of Nasty.

    Either www or the web account owner should be the owner of those folders.

    Thread Starter ProductAnatomy

    (@productanatomy)

    Thanks both for your replies.

    So really i’m better with one of the following 2 options:

    1 – Leaving the entire WordPress install as chown www-data:www-data

    Or

    2 – Creating a new user in debian (rob) and setting this user as owner for the wordpress folder. Then chown the uploads, blogs.dir, themes, and plugins folders to www-data:www-data (using chown www-data:www-data for the entire installation only when upgrading)

    Which one of these would be most suitable?

    Thanks
    Rob

    The second option will not work. On Debian systems Apache2 and php-5 will run as www-data and the files will not be writable by WordPress unless they are chowned www-data:www-data.

    On another subject since your running Debian I would recommend upgrading to Squeeze (Debian 6 latest stable release) before you get to far into having your site running.

    It’s pretty easy using apt-get here is a good tutorial on how to do it.

    Thread Starter ProductAnatomy

    (@productanatomy)

    Hi c3mdigital,

    Second option actually appears to be working…I’ve basically set the main install to a new user chown -R newuser:newuser and then chowned the uploads and blogs.dir folders to www-data:www-data

    Once I’ve figured everything out I’m going to completely reinstall and upgrade onto debian 6 too as suggested – thanks for the link to that tutorial though – might come in handy as my host doesn’t offer debian 6 yet! ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Server owner permissions for multisite’ is closed to new replies.