Topic: Folder permissions in iBays

[charlien]

I am looking at installing Wordpress in an iBay and am finding the instructions to be more complicated than I think need be. I'd find it easier to just create a database and set individual folder permissions as needed in an iBay. Will server upgrades reset permissions if I do it this way?

[Daniel B.]

Not server upgrade, but next ibay modification will reset the permissions

[charlien]

Not server upgrade, but next ibay modification will reset the permissions

Daniel, modifications to any iBay or that specific iBay? I'm trying to make sure I understand so I don't run into a big problem down the road.

[Daniel B.]

This ibay. Next time you go on the settings of this ibay and click save, permissions will be reset (even if you don't change anything)

[michelandre]

Hi charlien,

This is what I do.

I have a srcipt I run after installion or update of a Theme or Plugin and after modification of i-bay.
I took all the checkings out of those scripts here.

If Primary: admin:shared
If other i-bay: admin:www
The find line has no comment. It is on top of it.

Code: [Select]

cd /home/e-smith/files/ibays/Primary/html/
chown -R admin:shared *           # adjust recursively owner and group
chmod -R g+w wp-content           # adjust recursively group write
chmod -R o-rwx *                  # take out recursively all rights from other
                                  # add recursively the S right to directories in Themes
find wp-content/themes -type d -exec chmod g+s {} \;
                                  # add recursively the S right to directories in Plugins
find wp-content/plugins -type d -exec chmod g+s {} \;
chmod g+w administrator/backups/  # add WRITE right to backups directory of XCloner
chmod g+w administrator/          # id to directory administrator of XCloner
Before an update to WordPress

Code: [Select]

## Go to root directory of WordPress
cd /home/e-smith/files/ibays/Primary/html/  2>&1
## Bring back file readme.html
/bin/cp -rf ../readme.html .
## Change right of wp-admin and wp-includes
chmod -R g+w  wp-admin  wp-includes  2>&1
## Files that need WRITE right
chmod g+w  license.txt  readme.html wp-login.php wp-config-sample.php  \
           wp-activate.php wp-blog-header.php wp-comments-post.php     \
           wp-settings.php wp-signup.php 2>&1
After an update to WordPress

Code: [Select]

## Go to root directory of WordPress
cd /home/e-smith/files/ibays/Primary/html/  2>&1
## Move the file readme.html outside of WordPress root directoty
/bin/mv -f readme.html ../
## Take out the WRITE right from wp-admin and wp-includes
chmod -R g-w  wp-admin  wp-includes  2>&1
## Take out the WRITE right from files
chmod g-w license.txt wp-login.php wp-config-sample.php wp-activate.php  \
          wp-blog-header.php wp-comments-post.php wp-settings.php        \
          wp-signup.php 2>&1
Also I use  an .htaccess file in root directory of WordPress

Code: [Select]

# For permalinks
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# Protect file .htaccess
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

# Protect file wp-config
<Files wp-config.php>
 order allow,deny
 deny from all
</Files>

# For directory that don't have index.htm file
Options All -Indexes

Code: [Select]

chmod 640 /home/e-smith/files/ibays/Primary/html/.htaccess
I have WordPress in Primary and in other i-bays.

Hope it helps you,

Michel-André

[Stefano]

I have many WP sites installend in ibays on a test machine (about 20..)..
never had to edit/modify anything

please, explain your problem, not your solution, thank you

[michelandre]

I have no problem.

Michel-André

[Stefano]

sorry, my bad, I was referring to OP

BTW, you don't need any script to run WP in ibays
moreover, if you need to poke with such a things, you'd create some custom events/actions

[charlien]

I have many WP sites installend in ibays on a test machine (about 20..)..
never had to edit/modify anything

please, explain your problem, not your solution, thank you

I keep running into permissions problems when trying to install plugins, themes, or other maintenance items with standard permissions in an Ibay.

[michelandre]

Hi charlien

If WP is installed in Primary i-bay, you have nothing to loose, try:

Code: [Select]

cd /home/e-smith/files/ibays/Primary/html/

chown -R admin:shared *           # adjust recursively owner and group
chmod -R g+w wp-content           # adjust recursively group write
chmod -R o-rwx *                  # take out recursively all rights from other
                                  # add recursively the S right to directories in Themes
find wp-content/themes -type d -exec chmod g+s {} \;
                                  # add recursively the S right to directories in Plugins
find wp-content/plugins -type d -exec chmod g+s {} \;

This will work,

Michel-André

[Daniel B.]

It's really not advised to install WP (or any other PHP/dynamic content) in the Primary ibay. But if you still want to, you can just:

Code: [Select]

db accounts setprop Primary UserAccess wr-group-rd-group
signal-event ibay-modify Primary

Don't mess manually with permissions on ibay

[charlien]

It's really not advised to install WP (or any other PHP/dynamic content) in the Primary ibay. But if you still want to, you can just:

Code: [Select]

db accounts setprop Primary UserAccess wr-group-rd-group
signal-event ibay-modify Primary

Don't mess manually with permissions on ibay

What about iBays that are not the primary one?

[Daniel B.]

You shouldn't mess with ibay permissions either. Just set the access so that the group onwing the ibay has write access.

[michelandre]

Hi all,

I created a i-bay named test with the default parameters except All Internet (no password)

Code: [Select]

# touch toto
#
# mkdir Directory
#
# ls -als
total 16
4 drwxr-s--- 3 admin www  4096  1 juil. 17:15 .
4 drwxr-xr-x 6 root  root 4096  7 févr.  2013 ..
4 drwxr-sr-x 2 root  www  4096  1 juil. 17:15 Directory
4 -rw-r----- 1 admin www   265  1 juil. 17:12 index.html
0 -rw-r--r-- 1 root  www     0  1 juil. 17:15 toto
#
- index.html doesn't have rx for other which is secure.
- index.html does't have group w which is secure.
- toto has r for other which is not secure.
- toto does't have group w which is secure.
- Directory has rx for other which is not secure.
- Directory does't have group w which is secure.
- Directory has group s which is ok.

In server-manager, I clicked modify the i-bay but modified nothing and click "Enregistrer"

Code: [Select]

# ls -als
total 16
4 drwxr-s--- 3 admin www  4096  1 juil. 17:15 .
4 drwxr-xr-x 6 root  root 4096  7 févr.  2013 ..
4 drwxr-s--- 2 admin www  4096  1 juil. 17:15 Directory
4 -rw-r----- 1 admin www   265  1 juil. 17:12 index.html
0 -rw-r----- 1 admin www     0  1 juil. 17:15 toto
#
- Directory & toto lost rx for other which is secure.
- Directory & toto don't have group w which is secure.
* There is inconsistency with umask between the cration of the i-bay and the creation of file and directory?

WORDPRESS
- WordPress give rx to other all over the place which is not secure.
- Having other with rx and not all directory having index.xxx, allow to see the content of the directories which is not secure. File .htaccess is not used by default.
- Why directories wp-admin & wp-includes have group w when it is used only when there is an update of WodPress? This is unsecure for no reason?
- Why files: license.txt wp-login.php wp-config-sample.php wp-activate.php wp-blog-header.php wp-comments-post.php wp-settings.php wp-signup.php, all have group w when it is used only when there is an update of WodPress? This is unsecure for no reason?
- Why other directories (except wp-content) having group w which is unsecure for no reason?

- Why i-bay Primary has shared as the group and other i-bays www?
A user is in group shared by default. If user have ftp access, he can read the wp-config.php and see the password for the database which is not secure. Even if you move it, he can locate the file and still read it.

Conclusion:
- Having group w for everything is not secure.
- Having other rx for everything is not secure.
- I would suggest to change the group of Primary to www. It will still work properly and be more secure.

Michel-André

[Stefano]

please, raise a bug in bugzilla with all your ideas, thank you