Support » Plugin: WP Security Safe » Feature request to have exemption in the file permission check in Pantheon

  • Hi Security Safe plugin team!

    First of all, awesome plugin that you have here where it has a feature to detect the file permission of the files to check the security.

    Would it be ok if we can have a feature request to have host specific exemptions for container-based web host like Pantheon where the default wp-content/uploads folder has 770 permissions?

    Thanks in advance!

    • This topic was modified 3 months, 2 weeks ago by Carl Alberto.

    The page I need help with: [log in to see the link]

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Contributor Steven Ayers

    (@stevenayers63)

    @carl-alberto,

    Absolutely. Is there a reliable way that I can detect that a site is hosted on Pantheon? If you use any PHP constant variables, then I can check for that and allow an exception.

    Also, if there are other aspects of making WP Security Safe more compatible with Pantheon hosting, please let me know.

    Thank you for reaching out.

    -Steven

    Thread Starter Carl Alberto

    (@carl-alberto)

    Thanks for the quick reply @stevenayers63 and for accommodating our request.

    You can use $_ENV['PANTHEON_ENVIRONMENT'] to check if you are hosted in the platform, there are sample codes in here https://pantheon.io/docs/environment-specific-config#define-wp_debug-to-perform-actions-based-on-environment

    Also, you can sign up for free https://pantheon.io/register in the platform and spin up a sandbox site to test out your code and plugin

    Plugin Contributor Steven Ayers

    (@stevenayers63)

    @carl-alberto I will roll out this feature on my next release and notify you about it.

    -Steven

    Plugin Contributor Steven Ayers

    (@stevenayers63)

    @carl-alberto,

    I just released version 2.4 of WP Security Safe and it accommodates the Pantheon permissions 770 for the directory “uploads” and all of its children directories.

    -Steven

    Thread Starter Carl Alberto

    (@carl-alberto)

    Hi @stevenayers63,

    Thanks for the update, but upon checking, it still has a different error https://www.screencast.com/t/xaAkvjiono

    If it would help to have a test site from us, would love to create one from you, just let me know your email so I can send the creds. Thanks!

    Plugin Contributor Steven Ayers

    (@stevenayers63)

    @carl-alberto,

    It was my understanding that the directories only needed 770 permissions. Based on your screenshot, you also need files to be 770? Please confirm.

    I can release an updated version fairly quick to resolve this issue.

    -Steven

    Plugin Contributor Steven Ayers

    (@stevenayers63)

    @carl-alberto,

    I just made some adjustments and tested using the Pantheon WordPress sandbox. I apologize as I assumed your were only referring to the directories permissions. Version 2.4.1 has been released and accommodates both the directories and files to have 770 in the uploads directory.

    -Steven

    Thread Starter Carl Alberto

    (@carl-alberto)

    Hi @stevenayers63, sorry for the delayed response.

    It seems it is not erroring anymore on the WP core folders, few things that we have noticed:
    – core files in the root are flagged as error
    – symlinks that are 770 are reported as warnings

    2021-03-18_10-30-02

    Can those be also hosting specific exempted? It may not be relevant since the live site’s core files will always be read-only in Pantheon even if the permissions are being overridden to be lower than 755

    Plugin Contributor Steven Ayers

    (@stevenayers63)

    Carl,

    Here are the recommended file permissions in a shared hosting environment per WordPress’s documentation:

    • All files should be owned by the actual user’s account, not the user account used for the httpd process.
    • Group ownership is irrelevant, unless there’s specific group requirements for the web-server process permissions checking. This is not usually the case.
    • All directories should be 755 or 750.
    • All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
    • No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.

    Having said that, I understand that Pantheon is different than the typical shared hosting server, thus your file/directory permissions are different. Could you provide me the list of the ideal permissions for the files / directories listed below?

    • All directories (default) – ???
    • All files (default) – ???
    • wp-config.php – ???
    • symlinks – 770
    • Uploads Directories – 770
    • Uploads Directory files – ???
    • (any other specific files that need specific perms) – ???

    Once I have that list, I will roll out an update to accommodate them specifically for Pantheon.

    Thank you.

    -Steven

    Plugin Contributor Steven Ayers

    (@stevenayers63)

    @carl-alberto,

    I am following up on this. Can you confirm with your dev team the needed file permissions requested above? Once I have that list, I will go ahead and release a new version to accommodate them for Pantheon.

    Thank you,

    -Steven

    Thread Starter Carl Alberto

    (@carl-alberto)

    Hi @stevenayers63

    Sorry for the delay and thanks for following up.

    Just to explain further the platform, has 2 filesystem modes, Read-only & Writable.

    Multidevs & Development environment that is in SFTP mode is writable by default.

    Read-only environments are environments in Git mode, Test and Live environments
    In this mode, regardless of the permissions, even if you override it with any permissions, the only path that will be writable is wp-content/uploads

    All environments and mode should have these permissions by default:
    All directories (default) – 755
    All files (default) – 644
    wp-config.php – 644
    symlinks – 777
    Uploads Directories – 770
    Uploads Directory files – 770
    (any other specific files that need specific perms) – none so far as we can check

    Hope that clears up but I think your latest plugin seems to flag files and folders safely correctly now, I might have flagged it incorrectly since I have used an older installation, upon checking on a freshly installed site, everything seems to look good:

    Core:
    2021-04-12_09-23-44

    Themes:
    2021-04-12_09-28-50

    Uploads:
    2021-04-12_09-31-13

    Plugins:
    2021-04-12_10-04-10

Viewing 11 replies - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.