Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: charlien on June 29, 2016, 04:47:27 PM
-
I am looking at installing Wordpress in an iBay and am finding the instructions to be more complicated than I think need be. I'd find it easier to just create a database and set individual folder permissions as needed in an iBay. Will server upgrades reset permissions if I do it this way?
-
Not server upgrade, but next ibay modification will reset the permissions
-
Not server upgrade, but next ibay modification will reset the permissions
Daniel, modifications to any iBay or that specific iBay? I'm trying to make sure I understand so I don't run into a big problem down the road.
-
This ibay. Next time you go on the settings of this ibay and click save, permissions will be reset (even if you don't change anything)
-
Hi charlien,
This is what I do.
I have a srcipt I run after installion or update of a Theme or Plugin and after modification of i-bay.
I took all the checkings out of those scripts here.
If Primary: admin:shared
If other i-bay: admin:www
The find line has no comment. It is on top of it.
cd /home/e-smith/files/ibays/Primary/html/
chown -R admin:shared * # adjust recursively owner and group
chmod -R g+w wp-content # adjust recursively group write
chmod -R o-rwx * # take out recursively all rights from other
# add recursively the S right to directories in Themes
find wp-content/themes -type d -exec chmod g+s {} \;
# add recursively the S right to directories in Plugins
find wp-content/plugins -type d -exec chmod g+s {} \;
chmod g+w administrator/backups/ # add WRITE right to backups directory of XCloner
chmod g+w administrator/ # id to directory administrator of XCloner
Before an update to WordPress
## Go to root directory of WordPress
cd /home/e-smith/files/ibays/Primary/html/ 2>&1
## Bring back file readme.html
/bin/cp -rf ../readme.html .
## Change right of wp-admin and wp-includes
chmod -R g+w wp-admin wp-includes 2>&1
## Files that need WRITE right
chmod g+w license.txt readme.html wp-login.php wp-config-sample.php \
wp-activate.php wp-blog-header.php wp-comments-post.php \
wp-settings.php wp-signup.php 2>&1
After an update to WordPress
## Go to root directory of WordPress
cd /home/e-smith/files/ibays/Primary/html/ 2>&1
## Move the file readme.html outside of WordPress root directoty
/bin/mv -f readme.html ../
## Take out the WRITE right from wp-admin and wp-includes
chmod -R g-w wp-admin wp-includes 2>&1
## Take out the WRITE right from files
chmod g-w license.txt wp-login.php wp-config-sample.php wp-activate.php \
wp-blog-header.php wp-comments-post.php wp-settings.php \
wp-signup.php 2>&1
Also I use an .htaccess file in root directory of WordPress
# For permalinks
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# Protect file .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Protect file wp-config
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# For directory that don't have index.htm file
Options All -Indexes
chmod 640 /home/e-smith/files/ibays/Primary/html/.htaccess
I have WordPress in Primary and in other i-bays.
Hope it helps you,
Michel-André
-
I have many WP sites installend in ibays on a test machine (about 20..)..
never had to edit/modify anything
please, explain your problem, not your solution, thank you
-
I have no problem.
Michel-André
-
sorry, my bad, I was referring to OP
BTW, you don't need any script to run WP in ibays
moreover, if you need to poke with such a things, you'd create some custom events/actions
-
I have many WP sites installend in ibays on a test machine (about 20..)..
never had to edit/modify anything
please, explain your problem, not your solution, thank you
I keep running into permissions problems when trying to install plugins, themes, or other maintenance items with standard permissions in an Ibay.
-
Hi charlien
If WP is installed in Primary i-bay, you have nothing to loose, try:
cd /home/e-smith/files/ibays/Primary/html/
chown -R admin:shared * # adjust recursively owner and group
chmod -R g+w wp-content # adjust recursively group write
chmod -R o-rwx * # take out recursively all rights from other
# add recursively the S right to directories in Themes
find wp-content/themes -type d -exec chmod g+s {} \;
# add recursively the S right to directories in Plugins
find wp-content/plugins -type d -exec chmod g+s {} \;
This will work,
Michel-André
-
It's really not advised to install WP (or any other PHP/dynamic content) in the Primary ibay. But if you still want to, you can just:
db accounts setprop Primary UserAccess wr-group-rd-group
signal-event ibay-modify Primary
Don't mess manually with permissions on ibay
-
It's really not advised to install WP (or any other PHP/dynamic content) in the Primary ibay. But if you still want to, you can just:
db accounts setprop Primary UserAccess wr-group-rd-group
signal-event ibay-modify Primary
Don't mess manually with permissions on ibay
What about iBays that are not the primary one?
-
You shouldn't mess with ibay permissions either. Just set the access so that the group onwing the ibay has write access.
-
Hi all,
I created a i-bay named test with the default parameters except All Internet (no password)
# touch toto
#
# mkdir Directory
#
# ls -als
total 16
4 drwxr-s--- 3 admin www 4096 1 juil. 17:15 .
4 drwxr-xr-x 6 root root 4096 7 févr. 2013 ..
4 drwxr-sr-x 2 root www 4096 1 juil. 17:15 Directory
4 -rw-r----- 1 admin www 265 1 juil. 17:12 index.html
0 -rw-r--r-- 1 root www 0 1 juil. 17:15 toto
#
- index.html doesn't have rx for other which is secure.
- index.html does't have group w which is secure.
- toto has r for other which is not secure.
- toto does't have group w which is secure.
- Directory has rx for other which is not secure.
- Directory does't have group w which is secure.
- Directory has group s which is ok.
In server-manager, I clicked modify the i-bay but modified nothing and click "Enregistrer"
# ls -als
total 16
4 drwxr-s--- 3 admin www 4096 1 juil. 17:15 .
4 drwxr-xr-x 6 root root 4096 7 févr. 2013 ..
4 drwxr-s--- 2 admin www 4096 1 juil. 17:15 Directory
4 -rw-r----- 1 admin www 265 1 juil. 17:12 index.html
0 -rw-r----- 1 admin www 0 1 juil. 17:15 toto
#
- Directory & toto lost rx for other which is secure.
- Directory & toto don't have group w which is secure.
* There is inconsistency with umask between the cration of the i-bay and the creation of file and directory?
WORDPRESS
- WordPress give rx to other all over the place which is not secure.
- Having other with rx and not all directory having index.xxx, allow to see the content of the directories which is not secure. File .htaccess is not used by default.
- Why directories wp-admin & wp-includes have group w when it is used only when there is an update of WodPress? This is unsecure for no reason?
- Why files: license.txt wp-login.php wp-config-sample.php wp-activate.php wp-blog-header.php wp-comments-post.php wp-settings.php wp-signup.php, all have group w when it is used only when there is an update of WodPress? This is unsecure for no reason?
- Why other directories (except wp-content) having group w which is unsecure for no reason?
- Why i-bay Primary has shared as the group and other i-bays www?
A user is in group shared by default. If user have ftp access, he can read the wp-config.php and see the password for the database which is not secure. Even if you move it, he can locate the file and still read it.
Conclusion:
- Having group w for everything is not secure.
- Having other rx for everything is not secure.
- I would suggest to change the group of Primary to www. It will still work properly and be more secure.
Michel-André
-
please, raise a bug in bugzilla with all your ideas, thank you
-
If you want full control on filesystem permission (and other settings), don't use ibay. Install your app manually in /opt/myapp or /home/e-smith/files/myapp, create the custom-template for httpd.conf. Ibays are made to have something simple and working. You can't conciliate simple to use and full control.
-
Hi Stefano,
Making umask consistent with the creation of the i-bay will take out group w and you will not be able to install WordPress as it is needed for the primary installation.
The only suggestion will be to install WordPress in any i-bay except Primary.
SME is very well done and secure and I think there is a reason for having shared as the Primary's group.
Michel-André
-
Hi Daniel B,
The security problem is not with SME but with WordPress. :sad:
Michel-André
-
If you want full control on filesystem permission (and other settings), don't use ibay. Install your app manually in /opt/myapp or /home/e-smith/files/myapp, create the custom-template for httpd.conf. Ibays are made to have something simple and working. You can't conciliate simple to use and full control.
this should not be in opt as it will not be included in the standard backup process, so you should rather /home/e-smith/files/myapp or /home/e-smith/files/webapps/myapp.
-
For what it's worth, I make these changes to ibay settings for ibays that contain Wordpress:
# set IBAY manually, or replace it in this command with your ibay name
#
/sbin/e-smith/db accounts setprop $IBAY \
FollowSymLinks enabled \
CgiBin enabled \
AllowOverride All \
Group www \
PublicAccess global \
UserAccess wr-group-rd-everyone \
PHPBaseDir /home/e-smith/files/ibays/$IBAY/:/tmp/
#
signal-event remoteaccess-update
My notes on this say:
# Set AllowOverride, FollowSymlinks, Group, UserAccess and PHPBaseDir so that
# permalinks and uploads will work