Hello,
I have been playing with Trellis and checking everything. you have done a great job.
we will soon use it for production project.
One question that i have and that is Trellis and Wordpress related :
What is your opinion on securing files and folders so nginx+php-fpm :
- will not be able to modify files on specific folder exept uploads (and a array of folders)
- will not be able to change file access rights
- will not be able to delete file and folders exept uploads (and a array of folders)
basically,
Set up this
groupadd www-pub # add a publisher group
usermod -a -G www-pub root # make root member of the publisher group
Then do something like this
# Set restrictive rights on files and folder
chmod 755 /srv/www/example.com
find /srv/www/example.com -type d -exec chmod 2755 {} +
find /srv/www/example.com -type f -exec chmod 0644 {} +
# Change default user:group for maximal security
chown -R root:www-pub /srv/www/example.com
# Allow nginx user:group to access a few folders (those which will be written through Wordpress)
chown -R web:www-data /srv/www/example.com/shared/uploads
chown -R web:www-data /srv/www/example.com/current//web/wp/wp-content/cache
what i want to prevent, is a malicious script like this to work (and this is actually working on last trellis version)
<?php
// /srv/www/example.com/current/web/
// /srv/www/example.com/current/web/app/
// /srv/www/example.com/current/web/wp/
// /srv/www/example.com/current/README.md
// /srv/www/example.com/current/LICENSE.md
echo generate_file(".");
echo generate_file("../");
echo generate_file("app/");
echo generate_file("wp/");
echo delete_file("../README.md");
echo change_right("../LICENSE.md");
echo delete_app_folder();
function delete_app_folder() {
//$dir = 'samples' . DIRECTORY_SEPARATOR . 'sampledirtree';
$dir = 'app';
$it = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);
$files = new RecursiveIteratorIterator($it,
RecursiveIteratorIterator::CHILD_FIRST);
foreach($files as $file) {
if ($file->isDir()){
rmdir($file->getRealPath());
} else {
unlink($file->getRealPath());
}
}
rmdir($dir);
return "<br/>Finish deleting app folder<br/>";
}
function change_right($filename){
chmod($filename, 0777);
return "<br/>Finish change right ".$filename."<br/>";
}
function delete_file($filename){
unlink($filename);
return "<br/>Finish delete file ".$filename."<br/>";
}
function generate_file($folder){
$p="<html>\n
<title>my html file written with php</title>\n
<head>\n
</head>\n
<body>\n
<BR><BR><BR><BR>\n
This is the html file written by a php page.\n\n
How do you like it?\n
Here is a link: <a HREF='index.html'>home</a>.\n
</body>\n
</html>";
$filename = "HACK".date('Ymd-hi-s').".html";
$a = fopen($folder.$filename, 'w');
fwrite($a, $p);
fclose($a);
chmod($folder.$filename, 0644);
return "<br/>Finish Generate for ".$folder."<br/>";
}
?>
I know that this setup will prevent wordpress to update from back office, and that’s what i want. (what about you)
basically, you on vagrant env manage update and save to git repo then lock on production server
ps : may be it is just a simple change of owner on
what do you think ?
readings :