Wordpress Update / HTML Root Permissions

February 18, 2018 463 views
WordPress PHP Nginx CentOS
mplexo
By:
mplexo

I'm having a strange issue, wordpress is installed on CentOS 7, PHP-FPM, NGNIX. All seems to work fine, wordpress works, I can install plugins, and uload images etc...
But when i try to update wordpress it peompts for FTP details, as it says files are not writable.
In the health check plugin i see,
The main WordPress directory Not writable
The wp-content directory Writable
The uploads directory Writable
The plugins directory Writable
The themes directory Writable

All Folders have the owner nginx, and all folder / file permsisions are correct.
PHP / Nginx runs as the user nginx.

I'm guessing it's a permission issue somewhere, but i just can't see it.
Even setting all folders to 777 has the same issue.

Has anyone any ideas?

3 Answers
mplexo February 19, 2018
Accepted Answer

Turns out it was SELinux causing the issue (See Below)

I simple ran the following two commands which fixed the issue. I'm not sure of the implications of this, so hopefully I've not opened up any security holes. But Wordpress now auto update, so I'm happy.

ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp

Log File

SELinux is preventing /usr/sbin/php-fpm from using the execmem access on a process.

***** Plugin catchall_boolean (89.3 confidence) suggests ******************

If you want to allow httpd to execmem
Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.

Do
setsebool -P httpd_execmem 1

***** Plugin catchall (11.6 confidence) suggests **************************

If you believe that php-fpm should be allowed execmem access on processes labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp

I have run into this situation on a few occasions. Most likely NGINX, PHP-FPM, and the FS Permissions are not quite correct.

For example NGINX is running under NGINX, Your site is located /var/www owned by root:root, and PHP is running as www-data. Even when you change the FS ownership there is still a conflict.

The solution I have found is to run Wordpress in its own user account.

For example lets say I have a wordpress site example.com. I would create a user example.
In the user's home directory I create my webroot - /home/example/public_html - and install wordpress here.

Then under /etc/php7/fpm/pool.d/ I create a file example.conf with the following settings

[example]
user = example
group = example
listen = /var/run/php7.0-fpm-example.sock
listen.owner = nginx
listen.group = nginx
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

Then you will need to update your NGINX config and the fastcgi_pass directive

...
fastcgi_pass unix:/var/run/php7.0-fpm-example.sock;
...

You can find more information here : https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04
It is for Ubuntu, however the gist of it all will be the same.

It's well known that the LEMP stack (Linux, nginx, MySQL, PHP) provides unmatched speed and reliability for running PHP sites. Other benefits of this popular stack such as security and isolation are less popular, though. In this article we'll show you the security and isolation benefits of running sites on LEMP with different Linux users. This will be done by creating different php-fpm pools for each nginx server block (site or virtual host).

Hi,

I've tried the above, but it still have the same issue.
I decuded to spin up a new server, to do a fresh install on everything, but once again wordpress doesn't think it can write to the root directory.

I can upload files / plugins through wordpress, so PHP must be working OK. I tried uploading a simple PHP file upload script, which worked so once again PHP and permissions look correct.

Its a really strange one, So if you have any other ideas, that would be great.

Thanks,

Have another answer? Share your knowledge.