WordPress permissions issues – ACL to help

On some of our servers, the WordPress installations (but also other apps) are located in the users’ directory. Apache server is accessing them through the symlinks or via specific directory configuration. Such approach is good for systems with individual FTP accounts but can also cause problems with permissions.

Permissions issues

Typically, when the project installation directory is located somewhere in the users home dir, all files and directories are owned by this user. This also means that the user of www-data (typical Apache process user) can have limited write and execution rights. During the installation, this causes problems with the config file, during normal usage – with file uploads or updates.

Typical quick fix – set read, write and execution right for everyone on the system is not a good approach. This way you are allowing every user and every process to modify your files.

ACL to help

To set proper permissions, you can use ACL (access control lists). Typical Linux approach to files and directories permissions contains three areas: user, group, and all others. The www-data user is not a member of a typical user group, so it belongs to “all others.” Fortunately, there is a way to set ACL for the particular user, and we will use this way.

There is a chance that there is no ACL package installed on your system. In such case you can use:

sudo apt install acl

or

sudo yum install acl

The first command you should try is:

getfacl myProjectDirectory

As a result, you should see something like this:

# file: myProjectDirectory
# owner: handyman
# group: handyman
user::rwx
group::rwx
other::r-x

As you can see, this way we can check who is the owner of the file, which group is in use for this particular file and what are permissions for this user, group, and others. We can now add first ACE (Access Control Entry) for the www-data user:

setfacl --recursive -m u:www-data:rwx myProjectDirectory

This command modifies (-m) ACL for the directory of myProjectDirectory and all subdirectories and files recursive (–recursive) setting new entry for user www-data with permissions rwx (u:www-data:rwx). If you execute getfacl again, you see:

# file: myProjectDirectory
# owner: handyman
# group: handyman
user::rwx
user:www-data:rwx
group::rwx
other::r-x

Also, the output of the “ls -la” changed a bit:

$ ls -la
total 12
drwxrwxr-x 3 handyman handyman 4096 May 19 22:32 .
drwxr-xr-x 6 handyman handyman 4096 May 19 22:32 ..
drwxrwxr-x+ 2 handyman handyman 4096 May 19 22:32 myProjectDirectory
-rw-rw-r-- 1 handyman handyman 0 May 19 22:32 testfile

Have you noticed this little “+” (plus) sign next to the permissions list of myProjectDirectory? This is the sign that ACL is in place for this one. As you may imagine, this way you can set granular permissions for each user or group, not only for www-data. This is, in fact, a powerful tool to maintain control of your files.

How to remove ACLs?

Sometimes you may need to remove ACL for given user or completely. These commands can help you:

setfacl --recursive -x u:www-data myProjectDirectory

As you may notice, this one removes particular ACE for user www-data on myProjectDirectory and all directories and files recursive. If you want to remove all ACEs for all users and groups you added using setfacl, you can execute:

setfacl --recursive -bn myProjectDirectory

This one removes all ACLs, leaving only original user/group/others schema.