Setting file owner to www-data

  • Hi,

    I had a problem with my wordpress install where I could not update the core or any plugin (“Could not write folder”).

    All my permissions were set correctly to 755 and 644 for folders and files, but the files were owned by user:www-data , and I read that “the http server associated to my wordpress site belongs to the group www-data”, so the files should also be owned by www-data. So I ran this command:

    sudo chown -R www-data:www-data my_worpdress_folder

    and it fixed the problem.

    But my question is: is it a security problem to give the ownership of the files to www-data? I don’t know why the previous owner gave it to “user” instead.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Dion

    (@diondesigns)

    Changing ownership to www-data potentially made your site less secure. It is always best to have PHP run as a different user than the webserver, one that has FTP/SFTP access to the web-facing filesystem. (Note that PHP should never run as a user that has sudo/administrative privileges!)

    The filesystem ownership was originally a user with login privileges to allow management of the filesystem with FTP/SFTP.

    You should consider using a FastCGI PHP handler such as PHP-FPM. It would let you run PHP as a (non-sudo) user with login privileges, which solves all the above issues.

    Thread Starter su1

    (@su1)

    Thanks for your answer. But then any idea why I was not able to update my wordpress when the files were owned by “user”, and all the permissions were set correctly?

    You mention “a user with login privileges”, and I have just seen that shell access was deactivated for that old user (running cat /etc/passwd returned /bin/false for that user). Could this be the source of the problem?

    Or if you tell me that it’s less secure but still acceptable to have my files owned by www-data maybe I’ll leave it like that.

    Dion

    (@diondesigns)

    You couldn’t update WordPress because PHP wasn’t running as “user”, it was/is running as “www-data”. Installing and configuring PHP-FPM so PHP runs as “user” would solve that issue…and all the others as well.

    Running your website with files owned by “www-data” is less secure than them owned by “user”, but as long as it is the only website on the server, it’s not insecure. The biggest problem is that you will not be able to use FTP/SFTP with your web-facing filesystem unless logged in as root.

    Thread Starter su1

    (@su1)

    I have multiple websites on this server. Do you have a link to a tutorial on how to configure PHP-FPM so PHP runs as “user”? As I have different websites, I guess I should have different users running php?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Setting file owner to www-data’ is closed to new replies.