Question

Why is the root directory in a DO wordpress droplet group writable?

Hello, I have created droplet with wordpress 4.9.1 on ubuntu 16.04 using standard Digital Ocean one-click-app creator. After installation everything had been working properly but after a while I figured out that ufw was showing wired warning “/ is group writable!” on the top of every ufw commands output. So for example every time I executes sudo ufw status verbose it prints something like this:

WARN: / is group writable!
Status: active
[my firewall’s rules here]

ls -ld / shows that indeed privileges of / are drwxrwxr-x, insteed of typical 755.
Actually, I don’t have much experience on linux administration, but I have never seen that kind of setting before, so it is a little bit strange for me. On the other hand this setting comes from basic DO installation and I don’t want to break my droplet down by changing that. So here are my questions:

  1. I’m curious about Why is this setting like it is?
  2. Should/May I change privileges, or do something else which will satisfy this warning?
  3. Should I worry about it?

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Ryan Quinn
DigitalOcean Employee
DigitalOcean Employee badge
April 3, 2018
Accepted Answer

Thanks for reaching out! I created a WordPress droplet and were able to confirm this is occurring. To answer your questions:

  1. I reached out to our Kernels and Images team to investigate this and ensure that the permissions on / are the expected defaults on future updates.

  2. Absolutely. This should resolve the warning and as the root user you have full permissions to do so.

  3. Probably not. I’m not a security expert (20+ year sysadmin/developer though) but I am not aware of any major issues that would result from these particular permissions. That being said, there is no reason to maintain a non-standard configuration unless you have a specific need to so I would recommend making the change just to prevent any future confusion if another error or warning like the ufw one pops up (especially if it isn’t as descriptive of the source of the issue).

Had the same issue just now on the latest Docker image. Did a chmod 755 / to deal with the error and now all is well:

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         LIMIT IN    Anywhere                  
2375/tcp                   ALLOW IN    Anywhere                  
2376/tcp                   ALLOW IN    Anywhere                  
22 (v6)                    LIMIT IN    Anywhere (v6)             
2375/tcp (v6)              ALLOW IN    Anywhere (v6)             
2376/tcp (v6)              ALLOW IN    Anywhere (v6)      

This although the DO Docker message stated 22, 80 and 443 would be opened

“ufw” has been enabled. All ports except 22 (SSH), 80 (http) and 443 (https) have been blocked by default.

and here I see 22,2375,2376 and no 80 nor 443. Doing an nmap I do see 80 open though as well as a few others:

Nmap scan report for xxx.xxx.xx.xxx
Host is up (0.13s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
1025/tcp open   NFS-or-IIS
2222/tcp closed EtherNetIP-1
3306/tcp open   mysql
8085/tcp closed unknown

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel