Using Fantastico, a new CMS(Content Management System) such as WordPress, Joomla, or Mambo has been installed on your website. It does not matter which CMS is installed, they all need to be able to write files on the server. And they all will show “permission denied” errors during the first-time setup or the first time an upload is attempted via their built-in web interface. This happens when the webserver software (usually Apache) does not have write access to a user’s files.
As this is a fairly common issue for sites using CMSs to run into, there are several different approaches that can be used to correct this issue. Below several of the more common solutions are discussed and compared.
777 Permissions
This is, unfortunately, one of the first methods most people do. Setting a given file directory (for example, WordPress templates) with 777 permissions resolves upload errors very quickly. The problem is, it not only allows the webserver access to the user’s files – it allows all users access to those files. In a shared hosting environment, this allows a single compromised account to be used to compromise others as well. These permissions are inherently insecure, and are the root cause of a significant number of site hacks and site defacements each day. This method should not be used, ever, regardless of CMS or plugin installation instructions which suggest it.
775 Permissions and Use of Groups
Instead of granting full read/write access to everyone, groups may be used. The default user that Apache runs as in Liquid Web’s fully-managed hosting environments is the user “nobody”. In this example, with Apache running as user “nobody, there is a directory called “templates” that needs to be writeable by the webserver.
drwx------ 2 josh josh 4096 Aug 24 17:34 app
drwx------ 2 josh josh 4096 Aug 24 17:34 otherfiles
drwx------ 2 josh josh 4096 Aug 24 17:34 templates
The first thing we do is set the group for that directory to “nobody” with the “chgrp” command:
chgrp nobody templates
Now the file list will show that directory as having group “nobody,” unlike the others which are still in the “josh” group:
drwx------ 2 josh josh 4096 Aug 24 17:34 app
drwx------ 2 josh josh 4096 Aug 24 17:34 otherfiles
drwx------ 2 josh nobody 4096 Aug 24 17:34 templates
Next, we grant group-write permissions on the directory using the “chmod” command:
chmod 775 templates
Now we see the templates folder is writeable by group, compared to the others which are only writeable by owner:
drwx------ 2 josh josh 4096 Aug 24 17:34 app
drwx------ 2 josh josh 4096 Aug 24 17:34 otherfiles
drwxrwxr-x 2 josh nobody 4096 Aug 24 17:34 templates
This has the benefit of not allowing world access to the directory. However, there is still the risk that a compromised account could gain access by running scripts as the “nobody” user. To mitigate that risk, there is another option.
suPHP
The Liquid Web recommended method for solving this issue is to enable suPHP. The suPHP flag causes PHP scripts to be executed as the user which owns them as opposed to the user the web server (Apache) is running as. This allows the webserver to write files in directories owned by the user, and prevents other users from writing scripts which can do the same.
There is a slight performance cost, as suPHP adds overhead to every PHP process. In most environments this performance cost is well worth the added security and convenience. Installing and configuring suPHP on your server is a straightforward process.
- From the command line or via WHM enable Mod suPHP
- Next “suPHP” must be the handler for PHP. In WHM click on the Apache Configuration Then click on Configure PHP and SuEXEC and choose suPHP as the php handler.
- Ensure that all web documents are owned/grouped by their appropriate CPanel user.
- Ensure all web directories have 755 permissions or lower, and all web documents have 644 permissions or lower.
===
Liquid Web’s Heroic Support is always available to assist customers with this or any other issue. If you need our assistance please contact us:
Toll Free 1.800.580.4985
International 517.322.0434
support@liquidweb.com
https://manage.liquidweb.com/
Related Articles
