What's it doing in wp-admin?

This topic is: Not resolved

This is a PRIVATE forum for verified users only, to view the replies/answers, you must be logged in!

This topic contains 7 replies, has 3 voices, and was last updated by  Jacob 2 years, 1 month ago.

  • Author
    Posts
  • #4731

    hendrylee
    Member
    Post count: 3

    Hi, just bought. I really like this theme. But I stumbled on a problem though. Using a VPS (non cPanel) configuration.

    When “Saving All Changes” I figure out what wp-admin directory and all files in it should be owned by the same user running the web server. Only then the custom-styles.css file was generated.

    What does Sparkle do there? If I set it to a higher level user (root) for security, even though all theme directory (even wp-content) is writeable by the web server process, it returns “Error” and no custom-styles.css wwas created.

    I realize when it sends jQuery queries, it sends stuff to admin-ajax and that resides in wp-admin, but still, it doesn’t need write access, right?

    This bothers me as security is very important for my WP installation.

    Can you list which directory the theme need to write access to so I can grant access only to those?

  • #4763

    Jacob
    Staff
    Post count: 2312

    Hey there, You must be logged in to view this reply!

    Login | Register | Forgot Password?

  • #4765

    hendrylee
    Member
    Post count: 3

    Thanks for getting back to me.

    I understand that Jacob. I do have that css directory writeable to web server user, even the whole wp-content directory.

    My question is, I have to change “wp-admin” directory inside my WordPress installation to the same web server user for it to not return “Error” when saving settings.

    Otherwise, it won’t save my custom CSS file. It seems unrelated but I’ve tested it again and again. I have to make “wp-admin” and that “css” directory inside my child theme directory owned by web server user. Otherwise it returns error.

    Other directory can be left as is. So I’m wondering why it needs “wp-admin” ownership too.

    Hope I made that clear enough.

  • #4769

    Jacob
    Staff
    Post count: 2312

    Hey there, You must be logged in to view this reply!

    Login | Register | Forgot Password?

  • #4813

    hendrylee
    Member
    Post count: 3

    After digging into the code, and testing various permission cofiguration, I think I found the culprit.

    To answer your question, I’m talking about file and directory ownership, not permission. On my server, I can change file and directory permission to any user.

    After taking a glimpse into the code, I noticed the error was in the ‘request_filesystem_credentials’ function. WP seems to return (bool)false if the directory is not owned by the web server user, regardless of the permission.

    I’ve nailed down the affected file and directories too. I only need admin-ajax.php file (not wp-admin and any other files inside wp-admin), wp-content directory (not plugins and themes directories inside it) and the css directory (only css, not the theme and child theme) inside the child theme to be owned by web server (again www-data user, simply having 777 still returns the error).

    The rest, I can safely secure them by changing user ownership to ‘root’ user so no tampering is allowed by web server process.

    As with console within Developer Tools, I didn’t notice anything useful. Just ‘1’ if it successfully saved the option, and the “Connection Settings” form if any of the file and directories I mentioned above is not what WP wants.

    This of course works for shared hosting environment since every WP files and directories are owned by the corresponding user.

    I was only able to solve this partially by modifying ‘theme-styling.php’ inside includes directory.

    Line 58:

    if (false === ($creds = request_filesystem_credentials($url, ”, false, get_stylesheet_directory() . ‘/css/’, null) ) ) {

    Line 65:

    request_filesystem_credentials($url, ”, true, get_stylesheet_directory() . ‘/css/’, null);

    Basically, I changed the context from ‘false’ to get_stylesheet_directory() . ‘/css/’ so it checks for “css” directory inside the child theme directory instead of wp-content.

    But still, it requires admin-ajax.php to be owned by www-data. Oh well, a bug in request_filesystem_credentials? I don’t know.

  • #4822

    Max
    Staff
    Post count: 3150

    Hey there, You must be logged in to view this reply!

    Login | Register | Forgot Password?

  • #4854

    hendrylee
    Member
    Post count: 3

    Never mind.

    Will you fix your call to request_filesystem_credentials so it check the css directory instead of wp-content?

  • #4877

    Jacob
    Staff
    Post count: 2312

    Hey there, You must be logged in to view this reply!

    Login | Register | Forgot Password?

You must be logged in to reply to this topic.

This is a PRIVATE forum for verified users only, to view the replies/answers, you must be logged in!