Server User Apache Lacks Read Access to Nss Key Databas

Topics

• Permission Modes
  • Instance Permission Modes
• Permission Scheme for WordPress
  • Shared Hosting with suexec
• Using an FTP Customer
  • Unhide the hidden files
• Using the Command Line
  • Almost Chmod
• The dangers of 777
  • The Worst Outcome
  • Notice a Workaround
• Finding Secure File Permissions
  • Example Permission Settings
    • .htaccess permissions
    • php.ini permissions
    • php.cgi permissions
    • php5.cgi permissions
  • SELinux
    • How to make up one's mind if selinux is the problem?
  • See Also

On computer file systems, different files and directories acceptpermissions that specify who and what tin read, write, modify and access them. This is of import because WordPress may need access to write to files in yourwp-content directory to enable sure functions.

Permission Modes Permission Modes

                  7       v    5  user   group  world  r+due west+x  r+x    r+10  4+2+one  4+0+1  four+0+1 = 755                

The permission way is computed by adding up the following values for the user, the file group, and for everyone else. The diagram shows how.

• Read 4 – Immune to read files
• Write 2 – Allowed to write/change files
• eXecute1 – Read/write/delete/alter/directory

                  7       4     4  user   group  globe  r+w+10    r      r  4+2+1  four+0+0 4+0+0  = 744                

Top ↑

Instance Permission Modes Example Permission Modes

Mode	Str Perms	Explanation
0477	-r–rwxrwx	owner has read only (iv), other and group has rwx (7)
0677	-rw-rwxrwx	owner has rw only(half dozen), other and grouping has rwx (vii)
0444	-r–r–r–	all have read only (4)
0666	-rw-rw-rw-	all take rw only (half-dozen)
0400	-r——–	owner has read just(4), grouping and others have no permission(0)
0600	-rw——-	possessor has rw only, grouping and others accept no permission
0470	-r–rwx—	owner has read only, group has rwx, others have no permission
0407	-r—–rwx	owner has read only, other has rwx, group has no permission
0670	-rw-rwx—	owner has rw only, grouping has rwx, others have no permission
0607	-rw—-rwx	possessor has rw but, group has no permission and others accept rwx

Top ↑

Permission Scheme for WordPress Permission Scheme for WordPress

Permissions will exist different from host to host, so this guide but details general principles. It cannot cover all cases. This guide applies to servers running a standard setup (annotation, for shared hosting using "suexec" methods, see below).

Typically, all files should be owned past your user (ftp) account on your web server, and should be writable by that account. On shared hosts, files should never be endemic by the webserver process itself (sometimes this iswww, orapache, ornobody user).

Any file that needs write access from WordPress should be owned or grouping-owned by the user account used by WordPress (which may be dissimilar than the server account). For instance, y'all may have a user business relationship that lets you FTP files back and forth to your server, but your server itself may run using a separate user, in a separate usergroup, such asdhapache ornobody. If WordPress is running as the FTP account, that business relationship needs to accept write access, i.e., exist the owner of the files, or belong to a group that has write access. In the latter case, that would mean permissions are set more than permissively than default (for example, 775 rather than 755 for folders, and 664 instead of 644).

The file and folder permissions of WordPress should exist the same for most users, depending on the type of installation you performed and the umask settings of your system surroundings at the time of install.

Annotation: If an experienced user installed WordPress for you, you likely do non demand to modify file permissions. Unless you are experiencing problems with permission errors, or youwant to, you probably should not mess with this.

Note: If you installed WordPress yourself, you likely Practice need to modify file permissions. Some files and directories should be "hardened" with stricter permissions, specifically, the wp-config.php file. This file is initially created with 644 permissions, and information technology'due south a hazard to leave it like that. See Security and Hardening.

Typically, all core WordPress files should be writable merely past your user account (or the httpd account, if unlike). (Sometimes though, multiple ftp accounts are used to manage an install, and if all ftp users are known and trusted, i.e., not a shared host, then assigning group writable may be appropriate. Ask your server admin for more info.) However, if you utilize mod_rewrite Permalinks or other .htaccess features you should brand sure that WordPress can also write to your/.htaccess file.

If yous want to apply the built-in theme editor, all files need to be grouping writable. Attempt using information technology earlier modifying file permissions, it should work. (This may be true if dissimilar users uploaded the WordPress bundle and the Plugin or Theme. This wouldn't exist a trouble for Plugin and Themes installed via the admin. When uploading files with different ftp users group writable is needed. On shared hosting, make sure the group is sectional to users you trust… the apache user shouldn't be in the group and shouldn't own files.)

Some plugins crave the /wp-content/ folder exist fabricated writeable, merely in such cases they will let you know during installation. In some cases, this may require assigning 755 permissions. The same is true for/wp-content/cache/ and maybe/wp-content/uploads/ (if you're using MultiSite y'all may also demand to do this for/wp-content/blogs.dir/)

Additional directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions volition vary.

/    |- index.php |- wp-admin |   `- wp-admin.css |- wp-blog-header.php |- wp-comments-post.php |- wp-commentsrss2.php |- wp-config.php |- wp-content |   |- enshroud |   |- plugins |   |- themes |   `- uploads |- wp-cron.php |- wp-includes `- xmlrpc.php                

Top ↑

Shared Hosting with suexec Shared Hosting with suexec

The above may not employ to shared hosting systems that use the "suexec" arroyo for running PHP binaries. This is a popular approach used past many spider web hosts. For these systems, the php process runs every bit the owner of the php files themselves, assuasive for a simpler configuration and a more secure environment for the specific example of shared hosting.

Note: suexec methods should NEVER be used on a unmarried-site server configuration, they are more secureonly for the specific case of shared hosting.

In such an suexec configuration, the correct permissions scheme is simple to understand.

• All files should exist owned by the actual user's business relationship, not the user account used for the httpd process.
• Grouping buying is irrelevant, unless there'due south specific group requirements for the web-server procedure permissions checking. This is not usually the case.
• All directories should be 755 or 750.
• All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
• No directories should e'er be given 777, fifty-fifty upload directories. Since the php process is running equally the owner of the files, it gets the owners permissions and can write to fifty-fifty a 755 directory.

In this specific type setup, WordPress will detect that it can direct create files with the proper ownership, and so it volition not enquire for FTP credentials when upgrading or installing plugins.

Popular methods used past sysadmins for this setup are:

• suPHP, runs through php-cgi, currently unmaintained since 2013.
• mod_ruid2, apache module, currently unmaintained since 2013.
• mpm-itk, apache module.
• mod_fcgid, an Apache module and FastCGI server with more extensive configuration.
• PHP-FPM, an alternative FastCGI server with shared OPCode, for use with Apache and Nginx.

Peak ↑

Using an FTP Client Using an FTP Customer

FTP programs ("clients") let yous to fix permissions for files and directories on your remote host. This role is often calledchmod orset permissions in the program menu.

In WordPress install, two files that you will probably want to alter are the index page, and the css which controls the layout. Here'due south how you modify index.php –the process is the same for whatsoever file.

In the screenshot beneath, wait at the last column – that shows the permissions. It looks a chip confusing, but for now just note the sequence of letters.

Initial permissions

Correct-click 'index.php' and select 'File Permissions'
A popup screen will appear.

Altering file permissions

Don't worry near the check boxes. But delete the 'Numeric value:' and enter the number you lot demand – in this case it's 666. Then click OK.

Permissions accept been contradistinct.

You can now come across that the file permissions have been changed.

Top ↑

Unhide the hidden files Unhide the hidden files

Past default, most FTP Clients, including FileZilla, keep subconscious files, those files start with a catamenia (.), from being displayed. But, at some point, you may need to see your hidden files so that you can alter the permissions on that file. For instance, you may need to make your .htaccess file, the file that controls permalinks, writeable.

To display subconscious files in FileZilla, in information technology is necessary to select 'View' from the meridian bill of fare, then select 'Show subconscious files'. The screen brandish of files will refresh and any previously hidden file should come into view.

To become FileZilla to ever show hidden files – nether Edit, Settings, Remote File List, check the E'er show subconscious files box.

In the latest version of Filezilla, the 'Evidence hidden files' option was moved to the 'Server' tab. Select 'Strength show subconscious files.'

Meridian ↑

Using the Control Line Using the Command Line

If you lot have shell/SSH access to your hosting account, you can usechmod to change file permissions, which is the preferred method for experienced users. Before yous showtime usingchmod it would be recommended to read some tutorials to make sure you lot understand what you can achieve with information technology. Setting incorrect permissions can have your site offline, and then delight have your time.

• Unix Permissions

Yous tin can brandall the files in yourwp-content directory writable in ii steps, just earlier making every single file and folder writable you lot should first try safer alternatives like modifying merely the directory. Effort each of these commands kickoff and if they don't work then go recursive, which will brand fifty-fifty your themes image files writable. Replace DIR with the folder you want to write in

chmod -v 746 DIR chmod -five 747 DIR chmod -5 756 DIR chmod -v 757 DIR chmod -v 764 DIR chmod -v 765 DIR chmod -v 766 DIR chmod -v 767 DIR                

If those fail to allow you to write, try them all again in gild, except this time replace -v with -R, which will recursively change each file located in the folder. If after that you still cant write, yous may now endeavor 777.

Tiptop ↑

Near Chmod About Chmod

chmod is a unix command that means "changemoddue east" on a file. The-R flag means to use the change to every file and directory inside ofwp-content. 766 is the way nosotros are irresolute the directory to, it means that the directory is readable and writable by WordPress and any and all other users on your organization. Finally, we have the name of the directory we are going to modify,wp-content. If 766 doesn't piece of work, y'all can try 777, which makes all files and folders readable, writable, and executable past all users, groups, and processes.

If y'all employ Permalinks you should also change permissions of .htaccess to brand certain that WordPress tin update it when you change settings such as adding a new page, redirect, category, etc.. which requires updating the .htaccess file when mod_rewrite Permalinks are being used.

1. Go to the main directory of WordPress
2. Enterchmod -v 666 .htaccess

NOTE: From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Start with low permissive settings like 744, working your fashion up until it works. Just employ 777 if necessary, and hopefully simply for a temporary amount of fourth dimension.

Pinnacle ↑

The dangers of 777 The dangers of 777

The crux of this permission effect is how your server is configured. The username yous use to FTP or SSH into your server is most likely not the username used by the server application itself to serve pages.

                  7      vii      7  user   group  earth  r+w+ten  r+w+x  r+w+x  iv+two+1  4+2+i  4+2+1  = 777                

Often the Apache server is 'endemic' by theworld wide web-information,dhapache ornobody user accounts. These accounts have a express amount of access to files on the server, for a very adept reason. By setting your personal files and folders owned past your user account to be World-Writable, y'all are literally making them World Writable. Now the www-information, dhapache and nobody users that run your server, serving pages, executing php interpreters, etc. will have full admission to your user business relationship files.

This provides an avenue for someone to proceeds access to your files by hijacking basically whatsoever process on your server, this also includes any other users on your machine. Then yous should think carefully virtually modifying permissions on your automobile. I've never come beyond anything that needed more than 767, then when you come across 777 ask why it'due south necessary.

Elevation ↑

The Worst Outcome The Worst Outcome

The worst that can happen as a consequence of using 777 permissions on a folder or even a file, is that if a malicious cracker or entity is able to upload a devious file or modify a current file to execute code, they will have complete control over your blog, including having your database information and password.

Top ↑

Find a Workaround Find a Workaround

It is usually pretty easy to have the enhanced features provided past the impressive WordPress plugins available, without having to put yourself at risk. Contact the Plugin author or your server support and request a workaround.

Meridian ↑

Finding Secure File Permissions Finding Secure File Permissions

The .htaccess file is one of the files that is accessed by the owner of the process running the server. So if y'all gear up the permissions too low, then your server won't be able to access the file and will cause an error. Therein lies the method to find the most secure settings. First besides restrictive and increment the permissions until it works.

Top ↑

Example Permission Settings Case Permission Settings

The following example has acustom compiled php-cgi binary and acustom php.ini file located in the cgi-bin directory for executing php scripts. To prevent the interpreter and php.ini file from being accessed direct in a web browser they are protected with a .htaccess file.

Default Permissions (umask 022)

644 -rw-r--r--  /home/user/wp-config.php 644 -rw-r--r--  /home/user/cgi-bin/.htaccess 644 -rw-r--r--  /abode/user/cgi-bin/php.ini 755 -rwxr-xr-x  /dwelling/user/cgi-bin/php.cgi 755 -rwxr-xr-x  /dwelling/user/cgi-bin/php5.cgi                

Secured Permissions

600 -rw-------  /home/user/wp-config.php six04 -rw----r--  /home/user/cgi-bin/.htaccess half-dozen00                  -rw-------  /dwelling/user/cgi-bin/php.ini 711                  -rwx--10--x  /abode/user/cgi-bin/php.cgi                  100                  ---x------  /home/user/cgi-bin/php5.cgi                

Top ↑

.htaccess permissions .htaccess permissions

644 > 604 – The bit assuasive the grouping possessor of the .htaccess file read permission was removed. 644 is normally required and recommended for .htaccess files.

Top ↑

php.ini permissions php.ini permissions

644 > 600 – Previously all groups and all users with admission to the server could access the php.ini, even past just requesting it from the site. The tricky matter is that because the php.ini file is merely used by the php.cgi, we only needed to make sure the php.cgi process had access. The php.cgi runs as the same user that owns both files, and then that single user is now the only user able to access this file.

Top ↑

php.cgi permissions php.cgi permissions

755 > 711 This file is a compiled php-cgi binary used instead of mod_php or the default vanilla php provided by the hosting visitor. The default permissions for this file are 755.

Pinnacle ↑

php5.cgi permissions php5.cgi permissions

755 > 100 – Because of the setup where the user account is the owner of the procedure running the php cgi, no other user or group needs admission, and then nosotros disable all admission except execution access. This is interesting because it actually works. You can endeavor reading the file, writing to the file, etc. only the merely access you have to this file is to run php scripts. And equally the possessor of the file yous tin ever change the permission modes back again.

$ true cat: php5.cgi: Permission denied ./php5.cgi:  Welcome                

Top ↑

SELinux SELinux

Security Enhanced linux is a kernel security module that provides mechanisms by which processes can exist sandboxed into particular contexts. This is of particular employ to limit the actions that web pages tin can perform on other parts of the operating system. Actions that are denied by the security policy are often hard to distinguish from regular file permission errors.

selinux is typically installed on Redhat family distributions (e.chiliad., CentOS, Fedora, Scientific, Amazon and others).

Top ↑

How to determine if selinux is the problem? How to determine if selinux is the trouble?

If you are on a debian based distribution, you are probably fine.

Run the post-obit command (on rpm based systems);

# rpm -qa | grep selinux selinux-policy-targeted-iii.13.1-166.el7_4.7.noarch selinux-policy-iii.13.1-166.el7_4.seven.noarch libselinux-two.5-eleven.el7.x86_64 libselinux-python-two.5-xi.el7.x86_64 libselinux-utils-2.5-11.el7.x86_64                

and to bank check whether information technology is the cause of denials of permissions:

# getenforce Enforcing                

1 issue that selinux causes is blocking the wp-admin tools from writing out the `.htaccess` file that is required for url rewriting. At that place are several commands for inspecting this behaviour

# audit2allow -w -a type=AVC msg=audit(1517275570.388:55362): avc:  denied  { write } for  pid=11831 comm="httpd" path="/var/www/instance.org/.htaccess" dev="vda1" ino=67137959 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file         Was caused by:         The boolean httpd_unified was set incorrectly.         Clarification:         Allow httpd to unified          Allow admission by executing:         # setsebool -P httpd_unified 1                

and

# ausearch -m avc -c httpd ---- time->Tue Jan 30 01:xxx:31 2018 type=PROCTITLE msg=audit(1517275831.762:55364): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=SYSCALL msg=audit(1517275831.762:55364): arch=c000003e syscall=21 success=no leave=-13 a0=55b9c795d268 a1=2 a2=0 a3=1 items=0 ppid=11826 pid=11829 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 primal=(nil) type=AVC msg=audit(1517275831.762:55364): avc:  denied  { write } for  pid=11829 comm="httpd" proper name="bioactivator.org" dev="vda1" ino=67137958 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir ----                

Y'all can temporarily disable selinux to decide if it is the crusade of the problems;

# setenforce usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]                

Top ↑

Meet Besides See Likewise

• Support Forum thread
• htaccess for subdirectories
• Override WordPress Default permissions

wrightcamoul.blogspot.com

Source: https://wordpress.org/support/article/changing-file-permissions/

Share this post