Why is the root directory in a DO wordpress droplet group writable?

April 2, 2018 1.1k views
WordPress System Tools Ubuntu 16.04

Hello, I have created droplet with wordpress 4.9.1 on ubuntu 16.04 using standard Digital Ocean one-click-app creator. After installation everything had been working properly but after a while I figured out that ufw was showing wired warning “/ is group writable!” on the top of every ufw commands output. So for example every time I executes sudo ufw status verbose it prints something like this:

WARN: / is group writable!
Status: active
[my firewall’s rules here]

ls -ld / shows that indeed privileges of / are drwxrwxr-x, insteed of typical 755.

Actually, I don’t have much experience on linux administration, but I have never seen that kind of setting before, so it is a little bit strange for me. On the other hand this setting comes from basic DO installation and I don’t want to break my droplet down by changing that.
So here are my questions:

  1. I’m curious about Why is this setting like it is?
  2. Should/May I change privileges, or do something else which will satisfy this warning?
  3. Should I worry about it?
2 Answers
ryanpq MOD April 3, 2018
Accepted Answer

Thanks for reaching out! I created a WordPress droplet and were able to confirm this is occurring. To answer your questions:

  1. I reached out to our Kernels and Images team to investigate this and ensure that the permissions on / are the expected defaults on future updates.

  2. Absolutely. This should resolve the warning and as the root user you have full permissions to do so.

  3. Probably not. I'm not a security expert (20+ year sysadmin/developer though) but I am not aware of any major issues that would result from these particular permissions. That being said, there is no reason to maintain a non-standard configuration unless you have a specific need to so I would recommend making the change just to prevent any future confusion if another error or warning like the ufw one pops up (especially if it isn't as descriptive of the source of the issue).

  • Thanks for your comprehensive reply. I have changed "/" privileges and everything seems ok now.

Had the same issue just now on the latest Docker image. Did a chmod 755 / to deal with the error and now all is well:

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         LIMIT IN    Anywhere                  
2375/tcp                   ALLOW IN    Anywhere                  
2376/tcp                   ALLOW IN    Anywhere                  
22 (v6)                    LIMIT IN    Anywhere (v6)             
2375/tcp (v6)              ALLOW IN    Anywhere (v6)             
2376/tcp (v6)              ALLOW IN    Anywhere (v6)      

This although the DO Docker message stated 22, 80 and 443 would be opened

"ufw" has been enabled. All ports except 22 (SSH), 80 (http) and 443 (https)
have been blocked by default.

and here I see 22,2375,2376 and no 80 nor 443. Doing an nmap I do see 80 open though as well as a few others:

Nmap scan report for xxx.xxx.xx.xxx
Host is up (0.13s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
1025/tcp open   NFS-or-IIS
2222/tcp closed EtherNetIP-1
3306/tcp open   mysql
8085/tcp closed unknown

Have another answer? Share your knowledge.