500 site Chmod 744 Uploads: Command Not Understood

Topics

• Permission Modes
  • Example Permission Modes
• Permission Scheme for WordPress
  • Shared Hosting with suexec
• Using an FTP Client
  • Unhide the hidden files
• Using the Command Line
  • About Chmod
• The dangers of 777
  • The Worst Upshot
  • Find a Workaround
• Finding Secure File Permissions
  • Instance Permission Settings
    • .htaccess permissions
    • php.ini permissions
    • php.cgi permissions
    • php5.cgi permissions
  • SELinux
    • How to decide if selinux is the trouble?
  • Run across Also

On reckoner file systems, dissimilar files and directories havepermissions that specify who and what can read, write, change and access them. This is important because WordPress may need access to write to files in yourwp-content directory to enable certain functions.

Permission Modes

                  vii       5    v  user   group  world  r+w+x  r+x    r+ten  4+2+one  four+0+1  4+0+1 = 755                

The permission mode is computed by adding up the following values for the user, the file group, and for everyone else. The diagram shows how.

• Read iv – Allowed to read files
• Write 2 – Allowed to write/modify files
• eastwardXecute1 – Read/write/delete/alter/directory

                  7       4     4  user   group  world  r+w+x    r      r  4+ii+1  4+0+0 4+0+0  = 744                

Superlative ↑

Example Permission Modes

Manner	Str Perms	Explanation
0477	-r–rwxrwx	owner has read only (4), other and group has rwx (vii)
0677	-rw-rwxrwx	owner has rw simply(half dozen), other and group has rwx (7)
0444	-r–r–r–	all have read just (4)
0666	-rw-rw-rw-	all accept rw just (6)
0400	-r——–	owner has read only(4), group and others take no permission(0)
0600	-rw——-	possessor has rw only, group and others have no permission
0470	-r–rwx—	possessor has read simply, group has rwx, others have no permission
0407	-r—–rwx	owner has read merely, other has rwx, group has no permission
0670	-rw-rwx—	owner has rw merely, group has rwx, others have no permission
0607	-rw—-rwx	possessor has rw merely, group has no permission and others have rwx

Top ↑

Permission Scheme for WordPress

Permissions will be unlike from host to host, and so this guide only details general principles. Information technology cannot cover all cases. This guide applies to servers running a standard setup (note, for shared hosting using "suexec" methods, encounter below).

Typically, all files should be owned by your user (ftp) account on your web server, and should exist writable by that account. On shared hosts, files should never exist owned by the webserver process itself (sometimes this iswww, orapache, ornobody user).

Any file that needs write access from WordPress should be endemic or group-endemic by the user business relationship used by WordPress (which may be different than the server account). For case, you lot may take a user account that lets you FTP files dorsum and along to your server, but your server itself may run using a separate user, in a separate usergroup, such asdhapache ornobody. If WordPress is running as the FTP business relationship, that account needs to have write access, i.eastward., be the owner of the files, or belong to a grouping that has write access. In the latter case, that would mean permissions are fix more permissively than default (for example, 775 rather than 755 for folders, and 664 instead of 644).

The file and folder permissions of WordPress should be the same for nearly users, depending on the type of installation you performed and the umask settings of your system environment at the time of install.

Note: If an experienced user installed WordPress for you, yous likely do not need to modify file permissions. Unless y'all are experiencing problems with permission errors, or youwant to, you probably should not mess with this.

Notation: If y'all installed WordPress yourself, y'all probable Exercise need to modify file permissions. Some files and directories should be "hardened" with stricter permissions, specifically, the wp-config.php file. This file is initially created with 644 permissions, and it's a hazard to leave it similar that. Run into Security and Hardening.

Typically, all cadre WordPress files should be writable only by your user account (or the httpd account, if unlike). (Sometimes though, multiple ftp accounts are used to manage an install, and if all ftp users are known and trusted, i.east., non a shared host, then assigning group writable may exist appropriate. Enquire your server admin for more info.) Nevertheless, if you utilise mod_rewrite Permalinks or other .htaccess features you should brand sure that WordPress can also write to your/.htaccess file.

If you lot desire to employ the built-in theme editor, all files need to exist group writable. Attempt using it before modifying file permissions, it should work. (This may be truthful if different users uploaded the WordPress package and the Plugin or Theme. This wouldn't be a problem for Plugin and Themes installed via the admin. When uploading files with different ftp users grouping writable is needed. On shared hosting, make sure the group is exclusive to users y'all trust… the apache user shouldn't exist in the group and shouldn't own files.)

Some plugins crave the /wp-content/ folder be fabricated writeable, but in such cases they will permit yous know during installation. In some cases, this may require assigning 755 permissions. The aforementioned is true for/wp-content/cache/ and maybe/wp-content/uploads/ (if y'all're using MultiSite you may besides need to do this for/wp-content/blogs.dir/)

Additional directories under /wp-content/ should be documented by whatsoever plugin / theme requires them. Permissions will vary.

/    |- index.php |- wp-admin |   `- wp-admin.css |- wp-blog-header.php |- wp-comments-post.php |- wp-commentsrss2.php |- wp-config.php |- wp-content |   |- cache |   |- plugins |   |- themes |   `- uploads |- wp-cron.php |- wp-includes `- xmlrpc.php                

Top ↑

Shared Hosting with suexec

The above may not use to shared hosting systems that use the "suexec" approach for running PHP binaries. This is a popular approach used past many web hosts. For these systems, the php process runs as the possessor of the php files themselves, allowing for a simpler configuration and a more secure environment for the specific case of shared hosting.

Annotation: suexec methods should NEVER be used on a unmarried-site server configuration, they are more securemerely for the specific case of shared hosting.

In such an suexec configuration, the right permissions scheme is unproblematic to sympathize.

• All files should be owned by the actual user's account, not the user account used for the httpd procedure.
• Group ownership is irrelevant, unless in that location's specific group requirements for the web-server process permissions checking. This is non commonly the example.
• All directories should be 755 or 750.
• All files should be 644 or 640. Exception: wp-config.php should exist 440 or 400 to preclude other users on the server from reading it.
• No directories should always be given 777, even upload directories. Since the php process is running as the possessor of the files, information technology gets the owners permissions and tin write to even a 755 directory.

In this specific type setup, WordPress will detect that information technology can straight create files with the proper ownership, and then it will not ask for FTP credentials when upgrading or installing plugins.

Popular methods used past sysadmins for this setup are:

• suPHP, runs through php-cgi, currently unmaintained since 2013.
• mod_ruid2, apache module, currently unmaintained since 2013.
• mpm-itk, apache module.
• mod_fcgid, an Apache module and FastCGI server with more than all-encompassing configuration.
• PHP-FPM, an alternative FastCGI server with shared OPCode, for utilise with Apache and Nginx.

Meridian ↑

Using an FTP Client

FTP programs ("clients") allow you to set permissions for files and directories on your remote host. This function is frequently calledchmod orprepare permissions in the program menu.

In WordPress install, two files that yous will probably want to modify are the index folio, and the css which controls the layout. Hither's how you change index.php –the procedure is the same for any file.

In the screenshot below, wait at the terminal cavalcade – that shows the permissions. It looks a flake confusing, only for at present just note the sequence of letters.

Initial permissions

Correct-click 'index.php' and select 'File Permissions'
A popup screen volition appear.

Altering file permissions

Don't worry virtually the cheque boxes. Only delete the 'Numeric value:' and enter the number you need – in this instance it's 666. Then click OK.

Permissions accept been altered.

You tin can now meet that the file permissions take been changed.

Top ↑

Unhide the hidden files

By default, most FTP Clients, including FileZilla, keep hidden files, those files beginning with a catamenia (.), from being displayed. But, at some betoken, you may demand to run into your hidden files and so that you lot can change the permissions on that file. For example, yous may need to make your .htaccess file, the file that controls permalinks, writeable.

To display hidden files in FileZilla, in it is necessary to select 'View' from the top menu, and then select 'Show subconscious files'. The screen display of files volition refresh and any previously hidden file should come into view.

To get FileZilla to always show hidden files – under Edit, Settings, Remote File Listing, check the Ever evidence hidden files box.

In the latest version of Filezilla, the 'Testify subconscious files' selection was moved to the 'Server' tab. Select 'Force show hidden files.'

Top ↑

Using the Command Line

If you have shell/SSH admission to your hosting account, you tin employchmod to change file permissions, which is the preferred method for experienced users. Before you lot start usingchmod it would be recommended to read some tutorials to make sure you empathise what you can attain with it. Setting incorrect permissions can accept your site offline, so please accept your fourth dimension.

• Unix Permissions

You can makeall the files in yourwp-content directory writable in two steps, merely before making every unmarried file and folder writable you lot should first endeavor safer alternatives like modifying simply the directory. Effort each of these commands first and if they don't work then go recursive, which volition make even your themes image files writable. Replace DIR with the folder yous desire to write in

chmod -v 746 DIR chmod -five 747 DIR chmod -v 756 DIR chmod -five 757 DIR chmod -v 764 DIR chmod -v 765 DIR chmod -v 766 DIR chmod -5 767 DIR                

If those fail to allow you to write, effort them all again in lodge, except this fourth dimension supervene upon -v with -R, which will recursively change each file located in the folder. If after that you all the same cant write, you may at present try 777.

Top ↑

About Chmod

chmod is a unix command that ways "changemode" on a file. The-R flag means to apply the change to every file and directory inside ofwp-content. 766 is the manner we are changing the directory to, it means that the directory is readable and writable past WordPress and whatever and all other users on your system. Finally, we have the proper noun of the directory we are going to modify,wp-content. If 766 doesn't piece of work, you lot tin try 777, which makes all files and folders readable, writable, and executable by all users, groups, and processes.

If you use Permalinks you should also alter permissions of .htaccess to make sure that WordPress can update information technology when y'all change settings such as calculation a new page, redirect, category, etc.. which requires updating the .htaccess file when mod_rewrite Permalinks are being used.

1. Get to the master directory of WordPress
2. Enterchmod -v 666 .htaccess

Notation: From a security standpoint, even a pocket-size amount of protection is preferable to a world-writeable directory. Get-go with depression permissive settings similar 744, working your way upwardly until it works. Only use 777 if necessary, and hopefully merely for a temporary amount of time.

Top ↑

The dangers of 777

The crux of this permission issue is how your server is configured. The username you utilise to FTP or SSH into your server is most likely not the username used by the server application itself to serve pages.

                  7      vii      7  user   group  world  r+w+x  r+w+10  r+w+ten  iv+2+1  4+2+1  4+2+1  = 777                

Oft the Apache server is 'owned' by theworld wide web-data,dhapache ornobody user accounts. These accounts accept a limited corporeality of access to files on the server, for a very expert reason. By setting your personal files and folders owned by your user account to be World-Writable, you are literally making them World Writable. Now the www-data, dhapache and nobody users that run your server, serving pages, executing php interpreters, etc. will take full access to your user account files.

This provides an avenue for someone to gain access to your files by hijacking basically whatever process on your server, this as well includes whatever other users on your machine. And then you should think carefully about modifying permissions on your machine. I've never come across annihilation that needed more than 767, so when you come across 777 enquire why it's necessary.

Top ↑

The Worst Issue

The worst that tin can happen equally a result of using 777 permissions on a binder or even a file, is that if a malicious cracker or entity is able to upload a devious file or modify a current file to execute code, they volition have complete control over your web log, including having your database information and countersign.

Top ↑

Observe a Workaround

It is usually pretty like shooting fish in a barrel to take the enhanced features provided by the impressive WordPress plugins available, without having to put yourself at risk. Contact the Plugin author or your server back up and request a workaround.

Top ↑

Finding Secure File Permissions

The .htaccess file is one of the files that is accessed by the possessor of the procedure running the server. So if you lot set the permissions also low, then your server won't exist able to access the file and will cause an fault. Therein lies the method to find the most secure settings. Start as well restrictive and increase the permissions until information technology works.

Top ↑

Example Permission Settings

The following example has acustom compiled php-cgi binary and acustom php.ini file located in the cgi-bin directory for executing php scripts. To forestall the interpreter and php.ini file from being accessed direct in a web browser they are protected with a .htaccess file.

Default Permissions (umask 022)

644 -rw-r--r--  /home/user/wp-config.php 644 -rw-r--r--  /home/user/cgi-bin/.htaccess 644 -rw-r--r--  /home/user/cgi-bin/php.ini 755 -rwxr-xr-ten  /home/user/cgi-bin/php.cgi 755 -rwxr-xr-x  /home/user/cgi-bin/php5.cgi                

Secured Permissions

600 -rw-------  /home/user/wp-config.php 604 -rw----r--  /home/user/cgi-bin/.htaccess half-dozen00                  -rw-------  /home/user/cgi-bin/php.ini seven11                  -rwx--x--x  /home/user/cgi-bin/php.cgi                  100                  ---10------  /abode/user/cgi-bin/php5.cgi                

Meridian ↑

.htaccess permissions

644 > 604 – The bit assuasive the group owner of the .htaccess file read permission was removed. 644 is normally required and recommended for .htaccess files.

Top ↑

php.ini permissions

644 > 600 – Previously all groups and all users with access to the server could access the php.ini, fifty-fifty by just requesting it from the site. The catchy thing is that because the php.ini file is only used by the php.cgi, we only needed to make certain the php.cgi process had admission. The php.cgi runs as the same user that owns both files, so that single user is now the only user able to access this file.

Tiptop ↑

php.cgi permissions

755 > 711 This file is a compiled php-cgi binary used instead of mod_php or the default vanilla php provided by the hosting company. The default permissions for this file are 755.

Top ↑

php5.cgi permissions

755 > 100 – Considering of the setup where the user account is the owner of the process running the php cgi, no other user or grouping needs access, then we disable all access except execution access. This is interesting because information technology really works. You lot can attempt reading the file, writing to the file, etc. but the only access you have to this file is to run php scripts. And as the owner of the file yous tin can always alter the permission modes back once again.

$ true cat: php5.cgi: Permission denied ./php5.cgi:  Welcome                

Pinnacle ↑

SELinux

Security Enhanced linux is a kernel security module that provides mechanisms past which processes can be sandboxed into detail contexts. This is of particular utilize to limit the actions that web pages can perform on other parts of the operating organisation. Actions that are denied past the security policy are frequently hard to distinguish from regular file permission errors.

selinux is typically installed on Redhat family distributions (e.g., CentOS, Fedora, Scientific, Amazon and others).

Summit ↑

How to determine if selinux is the problem?

If y'all are on a debian based distribution, yous are probably fine.

Run the following command (on rpm based systems);

# rpm -qa | grep selinux selinux-policy-targeted-three.13.1-166.el7_4.7.noarch selinux-policy-iii.13.1-166.el7_4.seven.noarch libselinux-2.v-11.el7.x86_64 libselinux-python-ii.5-eleven.el7.x86_64 libselinux-utils-2.5-11.el7.x86_64                

and to check whether it is the cause of denials of permissions:

# getenforce Enforcing                

1 issue that selinux causes is blocking the wp-admin tools from writing out the `.htaccess` file that is required for url rewriting. In that location are several commands for inspecting this behaviour

# audit2allow -westward -a type=AVC msg=audit(1517275570.388:55362): avc:  denied  { write } for  pid=11831 comm="httpd" path="/var/www/example.org/.htaccess" dev="vda1" ino=67137959 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file         Was caused by:         The boolean httpd_unified was set incorrectly.         Description:         Let httpd to unified          Let access past executing:         # setsebool -P httpd_unified 1                

and

# ausearch -m avc -c httpd ---- fourth dimension->Tue Jan 30 01:30:31 2018 blazon=PROCTITLE msg=inspect(1517275831.762:55364): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=audit(1517275831.762:55364): arch=c000003e syscall=21 success=no get out=-13 a0=55b9c795d268 a1=2 a2=0 a3=1 items=0 ppid=11826 pid=11829 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(zippo) type=AVC msg=inspect(1517275831.762:55364): avc:  denied  { write } for  pid=11829 comm="httpd" name="bioactivator.org" dev="vda1" ino=67137958 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir ----                

You tin can temporarily disable selinux to determine if it is the crusade of the bug;

# setenforce usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]                

Superlative ↑

Run across Also

• Support Forum thread
• htaccess for subdirectories
• Override WordPress Default permissions

mirandaenone1946.blogspot.com

Source: https://wordpress.org/support/article/changing-file-permissions/

Share this post