Roots Discourse

Trellis Extra Security on folders and files

I have been playing with Trellis and checking everything. you have done a great job.
we will soon use it for production project.

One question that i have and that is Trellis and Wordpress related :

What is your opinion on securing files and folders so nginx+php-fpm :

  • will not be able to modify files on specific folder exept uploads (and a array of folders)
  • will not be able to change file access rights
  • will not be able to delete file and folders exept uploads (and a array of folders)


Set up this

groupadd www-pub # add a publisher group
usermod -a -G www-pub root # make root member of the publisher group

Then do something like this

# Set restrictive rights on files and folder
chmod 755 /srv/www/
find /srv/www/ -type d -exec chmod 2755 {} +
find /srv/www/ -type f -exec chmod 0644 {} +

# Change default user:group for maximal security
chown -R root:www-pub /srv/www/

# Allow nginx user:group to access a few folders (those which will be written through Wordpress)
chown -R web:www-data /srv/www/
chown -R web:www-data /srv/www/

what i want to prevent, is a malicious script like this to work (and this is actually working on last trellis version)


// /srv/www/
// /srv/www/
// /srv/www/
// /srv/www/
// /srv/www/

echo generate_file(".");
echo generate_file("../");
echo generate_file("app/");
echo generate_file("wp/");
echo delete_file("../");
echo change_right("../");
echo delete_app_folder();

function delete_app_folder() {
	//$dir = 'samples' . DIRECTORY_SEPARATOR . 'sampledirtree';
	$dir = 'app';
	$it = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);
	$files = new RecursiveIteratorIterator($it,
	foreach($files as $file) {
	    if ($file->isDir()){
	    } else {
	return "<br/>Finish deleting app folder<br/>";

function change_right($filename){
	chmod($filename, 0777);
	return "<br/>Finish change right ".$filename."<br/>";

function delete_file($filename){
	return "<br/>Finish delete file ".$filename."<br/>";

function generate_file($folder){

	<title>my html file written with php</title>\n
	This is the html file written by a php page.\n\n
	How do you like it?\n
	Here is a link: <a HREF='index.html'>home</a>.\n
	$filename = "HACK".date('Ymd-hi-s').".html";
	$a = fopen($folder.$filename, 'w');
	fwrite($a, $p);
	chmod($folder.$filename, 0644);
	return "<br/>Finish Generate for ".$folder."<br/>";



I know that this setup will prevent wordpress to update from back office, and that’s what i want. (what about you)
basically, you on vagrant env manage update and save to git repo then lock on production server

ps : may be it is just a simple change of owner on

what do you think ?

readings :


(Mainly commenting to follow discussion)

Thanks a lot for your reply.
i will cherry-pick this commit then :slight_smile:

Issue #368 mentions this:

A lot of plugins require write access to the web root to get full functionality. e.g. symlinking a db.php in place for query-monitor or W3TC. This might not work well for the majority of users.

But I’m curious if (given this is a few years old), anyone has tried this or knows if it is still relevant?

It seems like a benefit of being able to redeploy / reprovision quickly with Trellis is a semi-statelessness, and so the fact that plugins wouldn’t be able to break that stateless ‘state’ by ‘dirtying’ the filesystem is actually a feature, not a bug (this is just one way to think about this).

the way we use trellis in our agency is like that : i added this security so plugins are managed with bedrock on composer.json and if a plugin need a writable folder, then we add a symlink on the share folder.
so we have the security and the plugin updates and tests are made on local machine.

1 Like