Apache, Wordpress, FTP and phpmyadmin

Problem :

More to remember what is the best solution…

• A Wordpress website running on Apache.
• External user want to access to files using FTP
• Wordpress can also write files fro its admin console

Well easy to setup vsftpd to have a given mask (using local_umask), but setgid was not working with PHP so even if directories had “S” setgid flag, files and directories were created with Apache/PHP user (www-data).

Solution :

What I have tested first

sudo  find /var/www/html/ -type d -exec chmod 775 {} ;
sudo  find /var/www/html/ -type d -exec chmod g+rwxs {} ;

But installing a plugin through wordpress still creates directory and files with www-data so FTP user was not able to access.

My solution : 

VSFTPD configuration : 

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
rsa_cert_file=/etc/letsencrypt/live/demofullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/demo/privkey.pem
ssl_enable=YES
chroot_local_user=YES
write_enable=YES
local_umask=002

Restart VSFTPD : 

systemctl restart vsftpd.service

A new user : 

webprovider 

Add group webprovider to www-data :

usermod -a -G webprovider www-data

User is in /etc/vsftpd.userlist

So FTP access is OK.

PHP-FPM with dedicated pool

For write from admin console, switch PHP to PHP-FPM, create a new node and change user execution for this new node. Quite easy follow documentation for example here.

Change : 

[sitename (www => demo)]
user = webprovider
group = webprovider
listen = /run/php/php8.2-fpm-demo.sock

Restart : 

systemctl restart php8.2-fpm.service

Indicate to Apache to use this socket (in my site configuration file) : 

<FilesMatch ".+.ph(ar|p|tml)$">
 SetHandler "proxy:unix:/run/php/php8.2-fpm-demo.sock|fcgi://localhost"</FilesMatch>

For phpmyadmin, in debian just install it : 

• And if you want a remote access (be sure to secure it, this conf authorize every IP to connect) : 

Alias /phpmyadmin /usr/share/phpmyadmin <Directory "/usr/share/phpmyadmin">
   AllowOverride None
   Options FollowSymLinks
   Require all granted
   Options SymLinksIfOwnerMatch
   DirectoryIndex index.php

   # PHP 8+
   <IfModule mod_php.c>
       php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
       php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/</IfModule></Directory>

# Disallow web access to directories that don't need it<Directory /usr/share/phpmyadmin/templates>
   Require all denied</Directory><Directory /usr/share/phpmyadmin/libraries>
   Require all denied</Directory>