Trellis Extra Security on folders and files

mfr148 · August 27, 2018, 5:31pm

Hello,
I have been playing with Trellis and checking everything. you have done a great job.
we will soon use it for production project.

One question that i have and that is Trellis and Wordpress related :

What is your opinion on securing files and folders so nginx+php-fpm :

will not be able to modify files on specific folder exept uploads (and a array of folders)
will not be able to change file access rights
will not be able to delete file and folders exept uploads (and a array of folders)

basically,

Set up this

groupadd www-pub # add a publisher group
usermod -a -G www-pub root # make root member of the publisher group

Then do something like this

# Set restrictive rights on files and folder
chmod 755 /srv/www/example.com
find /srv/www/example.com -type d -exec chmod 2755 {} +
find /srv/www/example.com -type f -exec chmod 0644 {} +

# Change default user:group for maximal security
chown -R root:www-pub /srv/www/example.com

# Allow nginx user:group to access a few folders (those which will be written through Wordpress)
chown -R web:www-data /srv/www/example.com/shared/uploads
chown -R web:www-data /srv/www/example.com/current//web/wp/wp-content/cache

what i want to prevent, is a malicious script like this to work (and this is actually working on last trellis version)

<?php 


// /srv/www/example.com/current/web/
// /srv/www/example.com/current/web/app/
// /srv/www/example.com/current/web/wp/
// /srv/www/example.com/current/README.md
// /srv/www/example.com/current/LICENSE.md



echo generate_file(".");
echo generate_file("../");
echo generate_file("app/");
echo generate_file("wp/");
echo delete_file("../README.md");
echo change_right("../LICENSE.md");
echo delete_app_folder();


function delete_app_folder() {
	//$dir = 'samples' . DIRECTORY_SEPARATOR . 'sampledirtree';
	$dir = 'app';
	$it = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);
	$files = new RecursiveIteratorIterator($it,
	             RecursiveIteratorIterator::CHILD_FIRST);
	foreach($files as $file) {
	    if ($file->isDir()){
	        rmdir($file->getRealPath());
	    } else {
	        unlink($file->getRealPath());
	    }
	}
	rmdir($dir);
	return "<br/>Finish deleting app folder<br/>";
}

function change_right($filename){
	chmod($filename, 0777);
	return "<br/>Finish change right ".$filename."<br/>";
}


function delete_file($filename){
	unlink($filename);
	return "<br/>Finish delete file ".$filename."<br/>";
}


function generate_file($folder){

	$p="<html>\n
	<title>my html file written with php</title>\n
	<head>\n
	</head>\n
	<body>\n
	<BR><BR><BR><BR>\n
	This is the html file written by a php page.\n\n
	How do you like it?\n
	Here is a link: <a HREF='index.html'>home</a>.\n
	</body>\n
	</html>";
	
	$filename = "HACK".date('Ymd-hi-s').".html";
	$a = fopen($folder.$filename, 'w');
	fwrite($a, $p);
	fclose($a);
	chmod($folder.$filename, 0644);
	
	return "<br/>Finish Generate for ".$folder."<br/>";

}

?>

I know that this setup will prevent wordpress to update from back office, and that’s what i want. (what about you)
basically, you on vagrant env manage update and save to git repo then lock on production server

ps : may be it is just a simple change of owner on

github.com

roots/trellis/blob/master/roles/wordpress-setup/templates/php-fpm.conf.j2#L7


; {{ ansible_managed }}


[wordpress]
listen = /var/run/php-fpm-wordpress.sock
listen.owner = www-data
listen.group = www-data
user = {{ web_user }}
group = {{ web_group }}
pm = dynamic
pm.max_children = {{ php_fpm_pm_max_children }}
pm.start_servers = {{ php_fpm_pm_start_servers }}
pm.min_spare_servers = {{ php_fpm_pm_min_spare_servers }}
pm.max_spare_servers = {{ php_fpm_pm_max_spare_servers }}
pm.max_requests = {{ php_fpm_pm_max_requests }}
chdir = {{ www_root }}/
php_flag[log_errors] = on
php_flag[display_errors] = {{ php_display_errors }}

github.com

roots/trellis/blob/master/roles/wordpress-setup/templates/php-fpm.conf.j2#L5


; {{ ansible_managed }}


[wordpress]
listen = /var/run/php-fpm-wordpress.sock
listen.owner = www-data
listen.group = www-data
user = {{ web_user }}
group = {{ web_group }}
pm = dynamic
pm.max_children = {{ php_fpm_pm_max_children }}
pm.start_servers = {{ php_fpm_pm_start_servers }}
pm.min_spare_servers = {{ php_fpm_pm_min_spare_servers }}
pm.max_spare_servers = {{ php_fpm_pm_max_spare_servers }}
pm.max_requests = {{ php_fpm_pm_max_requests }}
chdir = {{ www_root }}/

what do you think ?

readings :

craigpearson · August 28, 2018, 11:07am

mfr148 · August 28, 2018, 1:08pm

Thanks a lot for your reply.
i will cherry-pick this commit then

techieshark · August 16, 2021, 1:15pm

Issue #368 mentions this:

A lot of plugins require write access to the web root to get full functionality. e.g. symlinking a db.php in place for query-monitor or W3TC. This might not work well for the majority of users.

But I’m curious if (given this is a few years old), anyone has tried this or knows if it is still relevant?

It seems like a benefit of being able to redeploy / reprovision quickly with Trellis is a semi-statelessness, and so the fact that plugins wouldn’t be able to break that stateless ‘state’ by ‘dirtying’ the filesystem is actually a feature, not a bug (this is just one way to think about this).

mfr148 · August 17, 2021, 5:34pm

the way we use trellis in our agency is like that : i added this security so plugins are managed with bedrock on composer.json and if a plugin need a writable folder, then we add a symlink on the share folder.
so we have the security and the plugin updates and tests are made on local machine.