WordPress issue... plugins can't update. Ownership problem?

The PHP interpreter (which actually runs WP code), runs under the privileges of the web server: www-data:www-data. In order for the web server to be able to write a file (which would be the case if you're trying to update plugins), you should make your files:

• be owned by www-data:www-data or myUserName:www-data; and
• have the permissions to 0644 (-rw-r--r--, if www-data:www-data) or 0664 (-rw-rw-r--,if myUserName:www-data).

In cases where files are created by the web server or the PHP interpreter, the directory where the created file is to live needs to be writable as well. For directories, the same rules as above would apply, but the directories need to be executable too: use 0755 (-rwxr-xr-x, if www-data:www-data) or 0775 (-rwxrwxr-x,if myUserName:www-data). Directories need execute permission in order for them to be navigable.

PHP source files (*.php) do not need to be executable (unless you want to invoke them from the shell)…the PHP interpreter (which is executable) only reads them. Making PHP files not invoked from the shell not executable is a basic, reasonable security measure.

File ownership/permissions is pretty basic stuff. See:

• https://linuxhandbook.com/linux-file-permissions/
• https://kerneltalks.com/config/learn-linux-unix-file-permissions-ownership/

I forgot to add myUserName to some group

sudo usermod -a myUserName -G www-data

If you do this, you can modify the rules for files given above to be:

• be owned by www-data:www-data; and
• have the permissions to 0664 (-rw-rw-r--).

and directories to be owned by www-data:www-data and having permissions 0775 (-rwxrwxr-x).

-- sw

I got it work by:

sudo chown -R myUserName:www-data wp1

sudo chmod -R 0775 wp1
(0755 did not work.)

(I did change wp-config and .htaccess to 644)

I think I need to add either myUserName or www-data to some group in order for 755 to work.

I'm still researching but at least I can install and update plugines.

Thanks.

Al

sudo chmod -R 0775 wp1
(0755 did not work.)

With all due respect, you're flailing… This is not what you want. Every file and directory under wp1 does not need to be owner/group writable/executable. See my comments above about directories.

There are only a few directories/files that need to be writable -- caches, plugin stores, photos, etc. No files need to be executable at all. What you've done is use a sledge hammer to drive a upholstery tack.

-- sw

@stevewi has got you covered pretty well.

This also depends on how PHP and your web server (Apache, nginx?) has been set up, or if it’s a one-click app deployment from the marketplace.

If PHP is running as an Apache module, the files will need to be readable and writeable by the Apache user or group (www-data:www-data on Ubuntu by default.)

If PHP is running via FPM, then there is a possibility that PHP could be running under a different account to Apache. (Not the case if you’re using standard distribution packages on Ubuntu, but every set up is different!)

You can determine how PHP is being run with a PHP info page. Look at the “Server API” section, it’ll be “FPM/FastCGI” if running under FPM.

EDIT: sorry if this looks unhelpful in the thread, I had started writing it after @stevewi’s first reply!

If PHP is running via FPM, then there is a possibility that PHP could be running under a different account to Apache. (Not the case if you’re using standard distribution packages on Ubuntu, but every set up is different!)

On Debian/Ubuntu, php-fpm(8) runs as www-data:www-data:

root      1144     1  0 May01 ?        00:00:15 php-fpm: master process (/etc/php/7.3/fpm/php-fpm.conf)
www-data  1204  1144  0 May01 ?        00:00:32 php-fpm: pool www
www-data  1206  1144  0 May01 ?        00:00:32 php-fpm: pool www
www-data  2161  1144  0 May02 ?        00:00:24 php-fpm: pool www

The process owned by root (the master process) is just the watchdog on the others. It will always be owned by root. The (child) processes owned by www-data are the ones that manage the thread pool(s) that handle requests. They need to be owned by www-data because of the way communication with apache2(8) is configured…on my system that's a local-domain socket. If I were to use an internet-domain socket, the ownership of the child processes would not be so critical.

I chose a local-domain socket for security and performance reasons.

-- sw

On Debian/Ubuntu, php-fpm(8) runs as www-data:www-data:

Yes exactly, I was pointing out it’s a possibility, but not normally if you’re running standard distribution packages.

Control panels are notorious though for running each site under a different user account for separation.

Control panels are notorious though for running each site under a different user account for separation.

Which is reason #6738 not to trust them (or any other "friendly front-end") to do the right thing…

-- sw

There are only a few directories/files that need to be writable -- caches, plugin stores, photos, etc. No files need to be executable at all. What you've done is use a sledge hammer to drive a upholstery tack.

I understand WP permissions quite well. Right now I'm just trying to get this to work. I'll lock it down later on.

I'll add myUserName to the www-data group and perhaps 755 will work with all files set to myUserName:www-data.

Thanks.

I'll add myUserName to the www-data group and perhaps 755 will work with all files set to myUserName:www-data.

I hope you have a backup plan… This isn't going to allow you to update your plugins.

-- sw

This isn't going to allow you to update your plugins.

I added myUserName to the www-data group but 755 still did not work… the
Well, it lets me install them. I'll have to wait for one of my plugins to have an update.

I still have not figured out why 775 works and 755 does not work, but eventually I'll figure it out. The 755 works on my Ubuntu 18 Linode but not on the new Ubuntu 20. As far as I can tell, all the settings are identical… but obviously I didn't do something on the new server that I did on the old one (that I plan to retire as it is too small.)

It's a process! :-)

Thanks,

Al

I still have not figured out why 775 works and 755 does not work

775 means both the directory’s owner and anyone in it’s group can write to it (anyone not in the group and not the owner can only read and browse it.)

755 means only the directory’s owner can write to it (anyone else can only read and browse.)

This suggests that the directory’s owner is not the same user account as the web service/PHP is running under, so 755 will never allow PHP/WordPress to change files.

The only way 755 can work on your old server is if the directories on there are owned by the same user running the web server/PHP.

Personally on my servers, I always do:

chown -R www-data:www-data /my/web/files
chmod -R ug+rwX,o-rwx /my/web/files

whenever I’ve deployed new web files or changes (this is equivalent to 770 on directories and 660 on files.)

This ensures anyone in the www-data group (or the web server/PHP itself) can read and write the web files. No other account can even read them.

From the/etc/apache/envars file we know that Apache here runs as:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data

So you would think that setting all the WP files and directories to 755 and chown them to www-data:www-data would make them all writable … but WordPress tells me they aren't.

I've added myUserName to the www-data group so I'd think that doing a chown to myUserName:www-data would do the trick. But it doesn't unless I set everything to 775 and 755.

There is something I forgot to set when either I installed Apache and PHP or there is something (perhaps a lot) I don't know about Ubuntu 20.

Al

there is something (perhaps a lot) I don't know about Ubuntu 20.

All of what's been discussed in this thread has been in Linux since the dawn of time…and in Unix in prehistory. None of it is unique to Ubuntu 20.04…unless Canonical has decided to develop it's own kernel and not tell anybody. Given Mark Shuttleworth's predisposition for self-promotion, that seems pretty unlikely.

but WordPress tells me they aren't.

God know what WP or some lazy plugin author thinks the ownership/permissions should be…probably nothing at all related to what Linux requires…

One thing you should check though is that cache directories required by WP or PHP need to be writable by the web server (www-data:www-data):

https://wordpress.org/support/article/optimization-caching/

-- sw

Well, if there is a way to make 755 work, I've not founded it yet.

I've added myUserName to the www-data group.

Using 755, I've tried owner:group of:

www-data:www-data
www-data:myUserName
myUserName:www-data
myUserName:myUserName

Only 775 gives me writable directories according to the WP "site-health" (built-in) utility.

As I said earlier, my Linode Ubuntu 18 server allows 755 to work fine with myUserName:www-data but something must have changed with Ubuntu 20 or I have screwed up the install. I've read a hundred and one websites on installing LAMP and I am convinced I did it right. (I've done it before but not for several years.)

This site was interesting although I didn't set up a SFTP-only user. Their discussion on WP permissions toward the end of the page was good.:

https://devanswers.co/configure-sftp-web-server-document-root

editorial
Bottom line, I don't need WP for this site (radioqsl.com) as it is mostly static. If I can find a nice parallax-scrolling Bootstrap theme, and a good gallery plugin with a light-box I'd re-write the site and be done with the complexities and insecurities of WP. I hate WP… but I'm not ready for the JamSTACK learning curve!
/editorial

Thanks for your help.

Only 775 gives me writable directories according to the WP "site-health" (built-in) utility.

I would suggest that this utility is severely brain-dead. Only a few WP directories -- cache, photos, etc. -- need to be writable. I'd stop using this and start developing your own expertise based on the discussion here and what apache(2) and PHP tell you they need.

I hate WP

Roger that.

I had a site I developed with WP once. As soon as I got "done" with it, I started rewriting it. I developed my own framework based on static pages and the few simple forms I needed. I used Fat-free Framework (F3) to glue everything together.

F3 is 500K. I don't know how big WP is but it's a hell of a lot bigger than 500K…and no required database. If you need a database, you can use SQLite.

SQLite is a lot smaller than MySQL and a lot easier to manage (it's just a file)…no SQL users or roles; no access modes; etc….but very functional. SQLite is not a speed daemon but for a site built with static pages, MySQL is overkill.

It took me about 3 weeks to get everything together for a functional, mobile-friendly site. F3 and the stuff I wrote on top of it work great…it's needed very few tweaks at all.

You should check out F3… Find yourself the mythical theme you want and roll your own like I did. You'll get exactly what you want…nothing more, nothing less…and you know who to blame for any deficiencies and bugs ;-)

-- sw

Using 755, I've tried owner:group of:

www-data:www-data
www-data:myUserName
myUserName:www-data
myUserName:myUserName

Only 775 gives me writable directories

Then I can only see that Apache or PHP is not running under www-data or myUserName, or you’ve only changed the directory permissions and not files so the files are still owned differently.

As I said earlier, my Linode Ubuntu 18 server allows 755 to work fine with myUserName:www-data

Then your Ubuntu 18 server must be running under myUserName (not www-data) or the files themselves are owned differently to myUserName:www-data.

Can you post the output of (on both your 18 and 20 servers):

ps -ef|grep apache2

(If you don’t get anything other than grep listed after this one, try replacing apache2 with httpd, I can’t remember if Ubuntu packages the binary as apache2 or it’s just the package name they changed.)

ps -ef|grep php

ls -al /path/to/wp/

(In this one we should see the files, like wp-config.php)

ls -al /path/to/wp/wp-content/

I hate WP

Same, I recently switched all my web sites to ExpressionEngine which is now open-sourced. You have to build the theme HTML yourself but it gives you so much flexibility and still gives you the content management side of things like WP.

@andysh --

I took a brief look at ExpressionEngine… It looks very nice…although a lot more work/expertise is required to set it up and maintain it than your average WP noob probably has. Still, work/expertise has its rewards…

I wish EE was not tied to MySQL…so that you could build smaller sites for low-traffic/-volume applications but that's a topic for another day. I imagine a port would prob be pretty easy (but I don't want to be burdened with support).

I built a site from scratch once with CodeIgniter…originally from the same developer as EE but now supported by a university in British Columbia. The framework is similar to F3 and, at 3.6MiB for the framework, still makes it very svelte compared to WP (at 55MiB…not counting plugins & themes). It's not tied to MySQL either.

I mostly don't write PHP anymore…vastly preferring Ruby… There are several Ruby CMSs but mostly built on top of Rails…something I know less about than WP.

@acanton77… I suggest you check out EE and kick WP to the curb. You'll probably save a lot of your hair…

-- sw

Hey @stevewi,

I took a brief look at ExpressionEngine… It looks very nice…

It is indeed, a very polished product which I bet comes from its commercial roots. You can do so much more out of the box with it than with WP - you’d need to spend $$$s on loads of WP plugins to get the same.

although a lot more work/expertise is required to set it up and maintain it than your average WP noob probably has

You’re not wrong there. The biggest draw of WP I think is the ability to switch themes without any development. EE is definitely for the professionals/dedicated/skilled.

I had a quick look at F3 this morning, I’d never heard of it before. I can certainly see some uses for it.

I had a quick look at F3 this morning, I’d never heard of it before. I can certainly see some uses for it.

The framework I built on top of it is 976K with about 97 classes -- with lots of inheritance so most classes are very (very!) small. There are 9 external dependencies installed by composer (mostly for stuff like validation).

-- sw

Can you post the output of (on both your 18 and 20 servers): ps -ef|grep apache2> >

Here are results:

ps -ef|grep apache2
root      130083       1  0 May07 ?        00:00:07 /usr/sbin/apache2 -k start
www-data  160340  130083  0 17:20 ?        00:00:02 /usr/sbin/apache2 -k start
www-data  160843  130083  0 17:47 ?        00:00:01 /usr/sbin/apache2 -k start
www-data  160844  130083  0 17:47 ?        00:00:01 /usr/sbin/apache2 -k start
www-data  160851  130083  0 17:48 ?        00:00:01 /usr/sbin/apache2 -k start
www-data  160853  130083  0 17:48 ?        00:00:01 /usr/sbin/apache2 -k start
www-data  161289  130083  0 18:38 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  161290  130083  0 18:38 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  161509  130083  0 18:59 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  161527  130083  0 19:00 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  161675  130083  0 19:10 ?        00:00:00 /usr/sbin/apache2 -k start
MyUser      161761  150139  0 19:22 pts/0    00:00:00 grep --color=auto apache2

 ps -ef|grep php
myUser      161765  150139  0 19:22 pts/0    00:00:00 grep --color=auto php