From 9b1f5c6d3e4e4fffcc80b5b3146ff6278c6673f4 Mon Sep 17 00:00:00 2001 From: Tim Fisken Date: Wed, 30 Sep 2015 11:33:56 +0100 Subject: [PATCH] Run PHP as the www-data user This commit changes the PHP-FPM config to run as www-data, and also changes the deploy script so that the "uploads" folder has group write permissions, so that wordpress can store and modify uploaded files. The prior set up PHP-FPM run as the same user that owns the files in the web root, giving PHP write access to the entire web root. This is a security risk. The correct solution is to have PHP run as www-data in the www-data group, and have the files be owned by a different user. Then, only those files which we want PHP to be able to write to have the group write permission set. See e.g.: http://codex.wordpress.org/Hardening_WordPress#File_Permissions --- roles/deploy/defaults/main.yml | 1 + roles/php/templates/php-fpm.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index e9bc265480..4eb5327a42 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -55,6 +55,7 @@ project_templates: project_shared_children: - path: web/app/uploads src: uploads + mode: "0775" # The project_environment is a list of environment variables added to the various *_commands # Example: diff --git a/roles/php/templates/php-fpm.conf.j2 b/roles/php/templates/php-fpm.conf.j2 index 3c5cb90627..eab5838988 100644 --- a/roles/php/templates/php-fpm.conf.j2 +++ b/roles/php/templates/php-fpm.conf.j2 @@ -4,7 +4,7 @@ listen = /var/run/php5-fpm-wordpress.sock listen.owner = www-data listen.group = www-data -user = {{ web_user }} +user = www-data group = {{ web_group }} pm = dynamic pm.max_children = 10