Roots Discourse

Trellis Extra Security on folders and files

Hello,
I have been playing with Trellis and checking everything. you have done a great job.
we will soon use it for production project.

One question that i have and that is Trellis and Wordpress related :

What is your opinion on securing files and folders so nginx+php-fpm :

  • will not be able to modify files on specific folder exept uploads (and a array of folders)
  • will not be able to change file access rights
  • will not be able to delete file and folders exept uploads (and a array of folders)

basically,

Set up this

groupadd www-pub # add a publisher group
usermod -a -G www-pub root # make root member of the publisher group

Then do something like this

# Set restrictive rights on files and folder
chmod 755 /srv/www/example.com
find /srv/www/example.com -type d -exec chmod 2755 {} +
find /srv/www/example.com -type f -exec chmod 0644 {} +

# Change default user:group for maximal security
chown -R root:www-pub /srv/www/example.com

# Allow nginx user:group to access a few folders (those which will be written through Wordpress)
chown -R web:www-data /srv/www/example.com/shared/uploads
chown -R web:www-data /srv/www/example.com/current//web/wp/wp-content/cache

what i want to prevent, is a malicious script like this to work (and this is actually working on last trellis version)

<?php 


// /srv/www/example.com/current/web/
// /srv/www/example.com/current/web/app/
// /srv/www/example.com/current/web/wp/
// /srv/www/example.com/current/README.md
// /srv/www/example.com/current/LICENSE.md



echo generate_file(".");
echo generate_file("../");
echo generate_file("app/");
echo generate_file("wp/");
echo delete_file("../README.md");
echo change_right("../LICENSE.md");
echo delete_app_folder();


function delete_app_folder() {
	//$dir = 'samples' . DIRECTORY_SEPARATOR . 'sampledirtree';
	$dir = 'app';
	$it = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);
	$files = new RecursiveIteratorIterator($it,
	             RecursiveIteratorIterator::CHILD_FIRST);
	foreach($files as $file) {
	    if ($file->isDir()){
	        rmdir($file->getRealPath());
	    } else {
	        unlink($file->getRealPath());
	    }
	}
	rmdir($dir);
	return "<br/>Finish deleting app folder<br/>";
}

function change_right($filename){
	chmod($filename, 0777);
	return "<br/>Finish change right ".$filename."<br/>";
}


function delete_file($filename){
	unlink($filename);
	return "<br/>Finish delete file ".$filename."<br/>";
}


function generate_file($folder){

	$p="<html>\n
	<title>my html file written with php</title>\n
	<head>\n
	</head>\n
	<body>\n
	<BR><BR><BR><BR>\n
	This is the html file written by a php page.\n\n
	How do you like it?\n
	Here is a link: <a HREF='index.html'>home</a>.\n
	</body>\n
	</html>";
	
	$filename = "HACK".date('Ymd-hi-s').".html";
	$a = fopen($folder.$filename, 'w');
	fwrite($a, $p);
	fclose($a);
	chmod($folder.$filename, 0644);
	
	return "<br/>Finish Generate for ".$folder."<br/>";

}

?>

I know that this setup will prevent wordpress to update from back office, and that’s what i want. (what about you)
basically, you on vagrant env manage update and save to git repo then lock on production server

ps : may be it is just a simple change of owner on


what do you think ?

readings :



Related:

(Mainly commenting to follow discussion)

Thanks a lot for your reply.
i will cherry-pick this commit then :slight_smile:

Issue #368 mentions this:

A lot of plugins require write access to the web root to get full functionality. e.g. symlinking a db.php in place for query-monitor or W3TC. This might not work well for the majority of users.

But I’m curious if (given this is a few years old), anyone has tried this or knows if it is still relevant?

It seems like a benefit of being able to redeploy / reprovision quickly with Trellis is a semi-statelessness, and so the fact that plugins wouldn’t be able to break that stateless ‘state’ by ‘dirtying’ the filesystem is actually a feature, not a bug (this is just one way to think about this).

the way we use trellis in our agency is like that : i added this security so plugins are managed with bedrock on composer.json and if a plugin need a writable folder, then we add a symlink on the share folder.
so we have the security and the plugin updates and tests are made on local machine.

1 Like