Forum Replies Created

Viewing 15 replies - 1 through 15 (of 21 total)
  • tgoeg

    (@tgoeg)

    I doubt you use the SSH SFTP Updater Support plugin, or do you?
    If not, this is the wrong place to ask.

    tgoeg

    (@tgoeg)

    That’s it, finally!
    Thanks a bunch.

    I set

    umask(0027);
    define( 'FS_CHMOD_DIR', ( 0755 & ~ umask() ) );
    define( 'FS_CHMOD_FILE', ( 0644 & ~ umask() ) );
    

    and now others have no permissions, and group (www-data) can only read the resulting files (and cd into dirs). Perfect. This is the definitive setup that does not seem to be documented anywhere on the whole wide Internet (I searched).

    Warning: Do not quote the parameter passed to umask or it won’t work as expected!

    Please add this to the docs so others can benefit as well!

    tgoeg

    (@tgoeg)

    Your chroot setup seems a bit strange to me though it could work as well.

    This is how I have it setup:
    /etc/ssh/sshd_config:

    Match User your_wordpress_user
     ChrootDirectory /home/your_wordpress_user
     ForceCommand internal-sftp -u 0027
     X11Forwarding no
     PermitTunnel no
     AllowTCPForwarding no

    /etc/fstab:
    /var/www/wordpress /home/your_wordpress_user/wwwroot none bind 0 0

    The user directory with the bind mount looks like this:

    root@webserver:~# ll /home/your_wordpress_user/
    total 68
    drwxr-xr-x  7 root                your_wordpress_user     4096 Jän 22 11:43 ./
    drwxr-xr-x 13 root                root                    4096 Apr 23 11:49 ../
    drwx------  2 your_wordpress_user your_wordpress_user     4096 Jul 10 16:12 .ssh/
    drwxr-s---  6 your_wordpress_user www-data                4096 Jul 10 16:13 wwwroot/

    Note the s bit, which also applies to all other directories below.

    The only thing that does not correctly work with this setup are the permissions of files that get created. They have o+r set, which is not what the sftp umask 0027 implies.. WordPress seems to explicity set this somewhere, which is nonsense.
    umask(0027);
    in wp-config.php sadly also does not fix this.
    Directories get created correctly, though (with o-rwx).

    The wp-config.php can be seen in my last post.

    tgoeg

    (@tgoeg)

    That definitely fixes it, w00t!

    I had to define the following variables:

    define( 'FTP_USER', 'user' ); #most likely not necessary, can be entered in the web form as well
    define( 'FTP_HOST', '127.0.0.1:22' );
    define( 'FTP_BASE', 'wwwroot' ); #the bind mounted directory to /var/www/wordpress, necessary b/c we chroot
    define( 'FTP_CONTENT_DIR', 'wwwroot/wp-content/' ); #the *relative* path as seen after an sftp login
    define( 'FTP_PLUGIN_DIR ', 'wwwroot/wp-content/plugins/' ); #see above
    define( 'FS_METHOD', 'ssh2' );

    Thanks a lot!
    If possible, please add this to the manual, as all examples I have seen online use absolute paths, which does not work.
    Trying with sftp from the commandline also helps to understand why.
    Additionally, if your SSH setup is hardened and does not accept all ciphers/MACs, an exception has to be added to /etc/ssh/sshd_config:
    MACs [..],hmac-sha2-256

    I seems this is not a bug in this plugin, so no, I cannot demonstrate the malfunction in it.

    However, I think users should be made aware that chrooted SFTP setups won’t work on php 7+ . (FWIW, FTP(S) won’t work either).

    Do you know of a working setup on php 7+ ? If so, please provide details of the webroot’s file/dir permissions and/or whether it is chrooted.

    I think this would have to be some other sort of setup, either with an SFTP server implementation that can chroot to a directory not owned by root (or the directory would need to be writable for group or others, which should be avoided) or simply one that does not chroot (which should be avoided as well).

    If I can find a workaround by patching core, I’ll definitely provide info here so others can be spared the troubleshooting.

    I am on php7.2

    This could be
    https://core.trac.wordpress.org/ticket/41831
    or
    https://core.trac.wordpress.org/ticket/35517

    If so, it should be stated that this plugin is currenty not compatible with php7.x in the given setup.

    I’ll see whether some mentioned workarounds fix this.

    Sorry for not being clear enough.
    In fact nothing is solved.

    The WP install is owned by user:www-data and mode 2750 for directories and 0640 for files.

    So user can read and write and www-data can only read.

    The group sticky bit makes new files have www-data as owner as well.

    I’d like to use this plugin to do the updates via the WP backend so it uses SFTP as “user” to change/write files.

    The problem is that after this plugin correctly authenticates the user (I can see 4 successful logins in sshd’s log) the backend says "Update Failed: Unable to locate WordPress content directory (wp-content)." as the original author of this issue states.

    If I enable debug logging, nothing relevant shows up in the log, but the fact that there is content in it really is strange, as wp-includes/load.php has the following line:
    ini_set( 'error_log', WP_CONTENT_DIR . '/debug.log' );
    So somehow WP_CONTENT_DIR has to be correctly set (and the website works flawlessly apart from updates, which also makes me think the WP_CONTENT_DIR has to be found correctly. In fact it is at its default location.

    The only thing probably coming into play here is that “user”‘s SFTP base directory is NOT the web root.

    (I need to chroot the user, and the directory to chroot to has to be root owned: http://man.openbsd.org/sshd_config#ChrootDirectory
    There is a wwwroot directory in the “user”‘s home which is bind-mounted to /var/www/wordpress)

    Reading the documentation I’d assume that setting
    define( 'FTP_BASE', '/home/user/wwwroot/' );
    should solve this, which it does not.

    If I set
    define( 'WP_CONTENT_DIR', '/var/www/wordpress/wp-content' );
    the updates work flawlessly, but something in this configuration made wordpress deactivate all plugins in the night after setting it without any admin interaction (the page still worked after the updates – maybe this was just a caching issue and the page was actually already broken after the updates; I was not able to reactivate the plugins. Only after unsetting WP_CONTENT_DIR I have been able to reactivate them again.

    I am searching for a solution to basically just leave my wp-config and file permissions as they are (which definitely works when using wp-cli for updates, but I need to enable updates in the backend for an external agency). However, SSH SFTP Updater does not seem to work with only touching the FTP_* variables as it seems..

    I hope I have been clearer now 🙂

    Thanks for your continued help!

    Then something’s broken inside core.
    And define( 'WP_CONTENT_DIR', 'whatever/dir/wp-content' ); made plugins deactivate over night. That’s also pretty ugly.
    So I’m still without a solution.

    Is my setup possible? I.e. having no write permissions for the apache user (except the upload directory) and having updates work in the backend by using proper credentials/permissions for an SSH user and using this plugin?

    tgoeg

    (@tgoeg)

    Using define( 'WP_CONTENT_DIR', 'whatever/dir/wp-content' ); finally solved this.

    This should definitely be made part of the documentation. I think most people will try to separate users with chroots!

    The only thing missing for a proper, secure setup is to make wordpress use a 0027 umask so the files get sane default permissions (using setgid as well).

    However, that seems impossible.

    A hack is mentioned here (I would not call that a solution):
    https://wordpress.org/support/topic/fail-to-make-wp-set-the-umask-i-want/

    tgoeg

    (@tgoeg)

    Coming to think of it:
    This is solution at all for core updates, as the chroot has to be root owned. Therefore, the user won’t be able to write files in the webroot.
    The FTP_BASE has to be honored. There’s no other solution.

    tgoeg

    (@tgoeg)

    I had the same error.
    Changing the sshd config to make WP’s root the starting directory of the users SFTP login solved it.
    e.g.

    Match User wordpress
     ChrootDirectory /home/wordpress/public_html
     ForceCommand internal-sftp

    The mentioned settings have not helped to remedy this problem. I doubt they get evaluated when logging in via SFTP. I set just FTP_BASE or both FTP_BASE and FTP_CONTENT_DIR.

    This has to be a bug either in this plugin or in core.

    I activated debugging, but did not find any entry in the debug log related to this plugin.

    • This reply was modified 11 months ago by tgoeg.
    • This reply was modified 11 months ago by tgoeg.

    Nailed it!
    Thank you so much!

    Could have used the console myself, though ..
    I thought I’d have to search for something gallery related, if this is the part that does not work, not the theme itself ?

    Deactivating jquery loading in HTML5 Boilerplate also deactivated loading of plugins.js, that’s were matchHeight comes from.

    So to summarize:
    Make sure the order of JS files included is correct. The third parameter of wp_register_script() can hold an array of dependencies.
    e.g.:

    if (!is_admin()) add_action("wp_enqueue_scripts", "my_plugins_enqueue", 11);
    function my_plugins_enqueue() {
              wp_register_script('plugins', get_stylesheet_directory_uri() . '/js/plugins.js', array('jquery'), false, null);
              wp_enqueue_script('plugins');
    }

    Photo gallery needs jquery, jquery-migrate is not necessary.
    If your theme also includes JS/jquery, make sure nothing is included twice but everything your theme needs is included.

    Re the wonderful world of web development: Can’t agree more. I am a scientific guy and it always freaks me out when this whole field is just trial and error.

    Hi again,
    I dug a little deeper and now configured it as follows:

    – HTML5 Boilerplate options: jquery deactivated
    – functions.php: wp_register_script() for the js/script.js (needed for the hamburger etc.) deactivated, as this is unnecessary. HTML5 Boilerplate includes it anyway, when the respective checkbox is checked. No clue why the web design agency included this manually.
    – I also included jquery-migrate as that is included when the gallery works with another theme (bonus question: Is jquery-migrate necessary for photo gallery?)

    Now the order seems correct to me:
    In the head:
    jquery
    jquery-migrate
    In the body:
    gallery using jquery calls
    In the footer:
    js/script.js

    No double loading of any JS.

    The hamburger button and other site-specific JS still works after lots of restructuring trial and error now. The gallery still does not. I am somehow at my wits end..

    Hi!
    Manually enqueuing does indeed load jquery in the head, which is before the photo gallery gets loaded. Still no joy, however. I also explicitly tried jquery 1.10.2.

    Also, looking at firefox’ console does not reveal any (more) errors, than the setup without working gallery does.

    The basic problem is (at least) the hamburger menu (mobile view) does not work. It’s a dead simple .slideDown() and the toggle of a CSS class, so I don’t understand why that does not work with jquery being included as stated above.

    We are going to switch theme soon, yes, still we should fix this issue if possible. I’ll see whether I can debug further..

Viewing 15 replies - 1 through 15 (of 21 total)