HTTP 403 Error - Possible Permission Issue

enduring123 · January 1, 2024, 7:59pm

1. The problem I’m having:

Just created an Ubuntu 22.04.3 instance on a VPS, hardened the server (as much as possible) to CIS standards and now trying to host several websites on it.

Just starting with one, www.gracefulart.co.uk, to make sure it works.

Using instructions from here: How to Run a WordPress Website on Caddy 2 - Tony Teaches Tech

Caddy and wordpress installed, and A record of domain updated.

After first just navigating to the IP address of the VPS (before updating the domain A record), I saw the Caddy welcome screen.

Now, after updating the A record, I get a 403 error in Chrome and a blank page in Firefox.

Suspected permissions issue, so here’s the ls -l output of /var/www/wordpress in case it’s helpful:

$ sudo ls -l /var/www/wordpress
total 228
-rwxr-s---  1 www-data www-data   405 Feb  6  2020 index.php
-rwxr-s---  1 www-data www-data 19915 Jan  1  2023 license.txt
-rwxr-s---  1 www-data www-data  7399 Jul  5 18:41 readme.html
-rwxr-s---  1 www-data www-data  7211 May 12  2023 wp-activate.php
drwxr-s---  9 www-data www-data  4096 Dec  6 16:25 wp-admin
-rwxr-s---  1 www-data www-data   351 Feb  6  2020 wp-blog-header.php
-rwxr-s---  1 www-data www-data  2323 Jun 14  2023 wp-comments-post.php
-rwxr-s---  1 www-data www-data  3013 Nov 15 17:47 wp-config-sample.php
drwxr-s---  4 www-data www-data  4096 Dec  6 16:25 wp-content
-rwxr-s---  1 www-data www-data  5638 May 30  2023 wp-cron.php
drwxr-s--- 27 www-data www-data 12288 Dec  6 16:25 wp-includes
-rwxr-s---  1 www-data www-data  2502 Nov 26  2022 wp-links-opml.php
-rwxr-s---  1 www-data www-data  3927 Jul 16 13:16 wp-load.php
-rwxr-s---  1 www-data www-data 50924 Sep 29 23:01 wp-login.php
-rwxr-s---  1 www-data www-data  8525 Sep 16 07:50 wp-mail.php
-rwxr-s---  1 www-data www-data 26409 Oct 10 15:05 wp-settings.php
-rwxr-s---  1 www-data www-data 34385 Jun 19  2023 wp-signup.php
-rwxr-s---  1 www-data www-data  4885 Jun 22  2023 wp-trackback.php
-rwxr-s---  1 www-data www-data  3154 Sep 30 08:39 xmlrpc.php

caddy user is part of the www-data group.

$ groups caddy
caddy : caddy www-data

2. Error messages and/or full log output:

Jan 01 18:41:39 vmi1581705.contaboserver.net systemd[1]: Starting Caddy...
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: caddy.HomeDir=/var/lib/caddy
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: caddy.Version=v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: runtime.GOOS=linux
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: runtime.GOARCH=amd64
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: runtime.Compiler=gc
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: runtime.NumCPU=4
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: runtime.GOMAXPROCS=4
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: runtime.Version=go1.21.5
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: os.Getwd=/
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: LANG=en_US.UTF-8
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: LANGUAGE=en_US:
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: NOTIFY_SOCKET=/run/systemd/notify
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: HOME=/var/lib/caddy
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: LOGNAME=caddy
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: USER=caddy
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: INVOCATION_ID=a3b30328291c492b9364450b8d00577d
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: JOURNAL_STREAM=8:45767
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: SYSTEMD_EXEC_PID=4614
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.5600162,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"warn","ts":1704134499.5621977,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.56356,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.563784,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.5638072,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.5644543,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.564719,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.5647614,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.564766,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["gracefulart.co.uk","www.gracefulart.co.uk"]}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.5673108,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.5719066,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001ca780"}
Jan 01 18:41:39 vmi1581705.contaboserver.net systemd[1]: Started Caddy.
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.5753841,"msg":"serving initial configuration"}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"warn","ts":1704134499.5905743,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"df421fba-957d-4eeb-8108-b808c4c06880","try_again":1704220899.5905685,"try_again_in":86399.999999028}
Jan 01 18:41:39 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704134499.590717,"logger":"tls","msg":"finished cleaning storage units"}
Jan 01 19:40:42 vmi1581705.contaboserver.net systemd[1]: Stopping Caddy...
Jan 01 19:40:42 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704138042.8809412,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
Jan 01 19:40:42 vmi1581705.contaboserver.net caddy[4614]: {"level":"warn","ts":1704138042.929542,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
Jan 01 19:40:42 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704138042.9304695,"logger":"http","msg":"servers shutting down with eternal grace period"}
Jan 01 19:40:42 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704138042.9459906,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Jan 01 19:40:42 vmi1581705.contaboserver.net caddy[4614]: {"level":"info","ts":1704138042.946888,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
Jan 01 19:40:42 vmi1581705.contaboserver.net systemd[1]: caddy.service: Deactivated successfully.
Jan 01 19:40:42 vmi1581705.contaboserver.net systemd[1]: Stopped Caddy.
Jan 01 19:40:42 vmi1581705.contaboserver.net systemd[1]: caddy.service: Consumed 1.114s CPU time.
Jan 01 19:40:42 vmi1581705.contaboserver.net systemd[1]: Starting Caddy...
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: caddy.HomeDir=/var/lib/caddy
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: caddy.Version=v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: runtime.GOOS=linux
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: runtime.GOARCH=amd64
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: runtime.Compiler=gc
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: runtime.NumCPU=4
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: runtime.GOMAXPROCS=4
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: runtime.Version=go1.21.5
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: os.Getwd=/
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: LANG=en_US.UTF-8
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: LANGUAGE=en_US:
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: NOTIFY_SOCKET=/run/systemd/notify
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: HOME=/var/lib/caddy
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: LOGNAME=caddy
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: USER=caddy
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: INVOCATION_ID=180ce6afbbd049adb2d7b2d01bea005b
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: JOURNAL_STREAM=8:62775
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: SYSTEMD_EXEC_PID=5825
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.5701268,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"warn","ts":1704138043.5839028,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":6}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.6006846,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.601876,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.6023664,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.6043003,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000094e00"}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6024942,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"vars","root":"/var/www/wordpress"}]},{"group":"group0","handle":[{"handler":"rewrite","uri":"'/index.php'"}],"match":[{"path":["/xmlrpc.php","*.sql","/wp-content/uploads/*.php"]}]},{"handle":[{"encodings":{"gzip":{}},"handler":"encode","prefer":["gzip"]}]},{"handle":[{"handler":"static_response","headers":{"Location":["{http.request.orig_uri.path}/"]},"status_code":308}],"match":[{"file":{"try_files":["{http.request.uri.path}/index.php"]},"not":[{"path":["*/"]}]}]},{"handle":[{"handler":"rewrite","uri":"{http.matchers.file.relative}"}],"match":[{"file":{"split_path":[".php"],"try_files":["{http.request.uri.path}","{http.request.uri.path}/index.php","index.php"]}}]},{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"fastcgi","split_path":[".php"]},"upstreams":[{"dial":"unix//run/php/php8.1-fpm.sock"}]}],"match":[{"path":["*.php"]}]},{"handle":[{"handler":"file_server","hide":["/etc/caddy/Caddyfile"]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.606587,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6209242,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.620988,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6219501,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.6219633,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.621969,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.gracefulart.co.uk","gracefulart.co.uk"]}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.642491,"logger":"tls","msg":"loading managed certificate","domain":"www.gracefulart.co.uk","expiration":1711903608,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6585515,"logger":"tls.cache","msg":"added certificate to cache","subjects":["www.gracefulart.co.uk"],"expiration":1711903608,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"b9217e8ee93850b12170699e5d508cb93ba253f887edfe0978c6c8f278190cb2","cache_size":1,"cache_capacity":10000}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6586661,"logger":"events","msg":"event","name":"cached_managed_cert","id":"014f035e-1965-47b9-b57c-e0b025db5574","origin":"tls","data":{"sans":["www.gracefulart.co.uk"]}}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6748135,"logger":"tls","msg":"loading managed certificate","domain":"gracefulart.co.uk","expiration":1711903369,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6767697,"logger":"tls.cache","msg":"added certificate to cache","subjects":["gracefulart.co.uk"],"expiration":1711903369,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"0e84a098a9fd4889353a9f3b8dd6183531d58d910f0a4532b1408c9028f98d4b","cache_size":2,"cache_capacity":10000}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"debug","ts":1704138043.6769211,"logger":"events","msg":"event","name":"cached_managed_cert","id":"44c32249-1a7e-4705-a185-39fcc754779d","origin":"tls","data":{"sans":["gracefulart.co.uk"]}}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.6799483,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jan 01 19:40:43 vmi1581705.contaboserver.net systemd[1]: Started Caddy.
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.6816366,"msg":"serving initial configuration"}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"warn","ts":1704138043.7244453,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"df421fba-957d-4eeb-8108-b808c4c06880","try_again":1704224443.7244358,"try_again_in":86399.999998548}
Jan 01 19:40:43 vmi1581705.contaboserver.net caddy[5825]: {"level":"info","ts":1704138043.724808,"logger":"tls","msg":"finished cleaning storage units"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04.3. Running Caddy on bare metal.

b. Command:

sudo systemctl restart caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        debug
}

gracefulart.co.uk, www.gracefulart.co.uk {
    root * /var/www/wordpress
    php_fastcgi unix//run/php/php-fpm.sock
    file_server
    encode gzip

    @disallowed {
        path /xmlrpc.php
        path *.sql
        path /wp-content/uploads/*.php
    }

    rewrite @disallowed '/index.php'
}

Thanks in advance

enduring123 · January 1, 2024, 9:45pm

I took inspiration from Understanding Permissions for the Caddy server - #2 by Whitestrake

… And ran the following commands:

$ sudo chown -R <myuser>:www-data /var/www/wordpress
$ sudo find /var/www/wordpress -type d -exec chmod ug+rwx {} \;
$ sudo find /var/www/wordpress -type f -exec chmod ug+rw {} \;
$ sudo find /var/www/wordpress -type d -exec chmod g+s {} \;

Permissions now read:

$ sudo ls -l /var/www/wordpress
total 228
-rwxrwx---  1 myuser www-data   405 Feb  6  2020 index.php
-rwxrwx---  1 myuser www-data 19915 Jan  1  2023 license.txt
-rwxrwx---  1 myuser www-data  7399 Jul  5 18:41 readme.html
-rwxrwx---  1 myuser www-data  7211 May 12  2023 wp-activate.php
drwxrws---  9 myuser www-data  4096 Dec  6 16:25 wp-admin
-rwxrwx---  1 myuser www-data   351 Feb  6  2020 wp-blog-header.php
-rwxrwx---  1 myuser www-data  2323 Jun 14  2023 wp-comments-post.php
-rwxrwx---  1 myuser www-data  3013 Nov 15 17:47 wp-config-sample.php
drwxrws---  4 myuser www-data  4096 Dec  6 16:25 wp-content
-rwxrwx---  1 myuser www-data  5638 May 30  2023 wp-cron.php
drwxrws--- 27 myuser www-data 12288 Dec  6 16:25 wp-includes
-rwxrwx---  1 myuser www-data  2502 Nov 26  2022 wp-links-opml.php
-rwxrwx---  1 myuser www-data  3927 Jul 16 13:16 wp-load.php
-rwxrwx---  1 myuser www-data 50924 Sep 29 23:01 wp-login.php
-rwxrwx---  1 myuser www-data  8525 Sep 16 07:50 wp-mail.php
-rwxrwx---  1 myuser www-data 26409 Oct 10 15:05 wp-settings.php
-rwxrwx---  1 myuser www-data 34385 Jun 19  2023 wp-signup.php
-rwxrwx---  1 myuser www-data  4885 Jun 22  2023 wp-trackback.php
-rwxrwx---  1 myuser www-data  3154 Sep 30 08:39 xmlrpc.php

After a sudo systemctl restart caddy the 403 error persists. Any help would be greatly appreciated.

Whitestrake · January 1, 2024, 9:52pm

Hmm. Checked the ownership of /run/php/php-fpm.sock?

Try adding the debug global option to your Caddyfile, running a request, and posting the log output from that 403 request.

enduring123 · January 1, 2024, 10:13pm

Thanks for the quick reply!

$ sudo ls -l /run/php/php-fpm.sock
lrwxrwxrwx 1 root root 30 Jan  1 17:56 /run/php/php-fpm.sock -> /etc/alternatives/php-fpm.sock

debug’s already in the config file - will try an http request and see what I get

enduring123 · January 1, 2024, 10:18pm

Here’s the output from the 403 request:

Jan 01 22:15:51 vmi1581705.contaboserver.net caddy[11395]: {"level":"debug","ts":1704147351.5463684,"logger":"http.log.error","msg":"stat /var/www/wordpress: permission denied","request":{"remote_ip":"188.30.223.88","remote_port":"18617","client_ip":"188.30.223.88","proto":"HTTP/1.1","method":"GET","host":"www.gracefulart.co.uk","uri":"/","headers":{"Accept-Encoding":["gzip, deflate"],"Cache-Control":["max-age=0"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Site":["cross-site"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"],"Sec-Fetch-User":["?1"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Connection":["keep-alive"],"Sec-Ch-Ua":["\"Not_A Brand\";v=\"8\", \"Chromium\";v=\"120\", \"Google Chrome\";v=\"120\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"www.gracefulart.co.uk"}},"duration":0.000246376,"status":403,"err_id":"sxynx6204","err_trace":"fileserver.(*FileServer).ServeHTTP (staticfiles.go:282)"}

This bit seems pertinent: "http.log.error","msg":"stat /var/www/wordpress: permission denied"

Whitestrake · January 1, 2024, 10:20pm

Huh.

And the permissions/ownership on the directory itself, /var/www/wordpress?

(ls -al should show it as .)

enduring123 · January 1, 2024, 10:24pm

$ sudo ls -al /var/www/wordpress
total 236
drwxrws---  5 myuser    www-data  4096 Jan  1 17:55 .
drwxr-x---  3 root root      4096 Jan  1 17:32 ..
-rwxrwx---  1 myuser    www-data   405 Feb  6  2020 index.php
-rwxrwx---  1 myuser    www-data 19915 Jan  1  2023 license.txt
-rwxrwx---  1 myuser    www-data  7399 Jul  5 18:41 readme.html
-rwxrwx---  1 myuser    www-data  7211 May 12  2023 wp-activate.php
drwxrws---  9 myuser    www-data  4096 Dec  6 16:25 wp-admin
-rwxrwx---  1 myuser    www-data   351 Feb  6  2020 wp-blog-header.php
-rwxrwx---  1 myuser    www-data  2323 Jun 14  2023 wp-comments-post.php
-rwxrwx---  1 myuser    www-data  3013 Nov 15 17:47 wp-config-sample.php
drwxrws---  4 myuser    www-data  4096 Dec  6 16:25 wp-content
-rwxrwx---  1 myuser    www-data  5638 May 30  2023 wp-cron.php
drwxrws--- 27 myuser    www-data 12288 Dec  6 16:25 wp-includes
-rwxrwx---  1 myuser    www-data  2502 Nov 26  2022 wp-links-opml.php
-rwxrwx---  1 myuser    www-data  3927 Jul 16 13:16 wp-load.php
-rwxrwx---  1 myuser    www-data 50924 Sep 29 23:01 wp-login.php
-rwxrwx---  1 myuser    www-data  8525 Sep 16 07:50 wp-mail.php
-rwxrwx---  1 myuser    www-data 26409 Oct 10 15:05 wp-settings.php
-rwxrwx---  1 myuser    www-data 34385 Jun 19  2023 wp-signup.php
-rwxrwx---  1 myuser    www-data  4885 Jun 22  2023 wp-trackback.php
-rwxrwx---  1 myuser    www-data  3154 Sep 30 08:39 xmlrpc.php

Whitestrake · January 1, 2024, 11:01pm

Very confusing.

Just to be clear that Caddy is running as who we think it should be… Try:

pgrep caddy | xargs ps -o user,group,rgroup,supgrp,cmd -p

The output should tell us what groups and supplemental groups (for file access) the Caddy process has.

Could also try just chown caddy temporarily to see what happens.

enduring123 · January 1, 2024, 11:05pm

$ pgrep caddy | xargs ps -o user,group,rgroup,supgrp,cmd -p
USER     GROUP    RGROUP   SUPGRP                                   CMD
caddy    caddy    caddy    www-data,caddy                           /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

enduring123 · January 1, 2024, 11:09pm

I did the following and the debug logs came up with the same permission denied error (403) with the HTTP request through Chrome:

$ sudo chown -R caddy /var/www/wordpress
$ sudo ls -al /var/www/wordpress
total 236
drwxrws---  5 caddy www-data  4096 Jan  1 17:55 .
drwxr-x---  3 root  root      4096 Jan  1 17:32 ..
-rwxrwx---  1 caddy www-data   405 Feb  6  2020 index.php
-rwxrwx---  1 caddy www-data 19915 Jan  1  2023 license.txt
-rwxrwx---  1 caddy www-data  7399 Jul  5 18:41 readme.html
-rwxrwx---  1 caddy www-data  7211 May 12  2023 wp-activate.php
drwxrws---  9 caddy www-data  4096 Dec  6 16:25 wp-admin
-rwxrwx---  1 caddy www-data   351 Feb  6  2020 wp-blog-header.php
-rwxrwx---  1 caddy www-data  2323 Jun 14  2023 wp-comments-post.php
-rwxrwx---  1 caddy www-data  3013 Nov 15 17:47 wp-config-sample.php
drwxrws---  4 caddy www-data  4096 Dec  6 16:25 wp-content
-rwxrwx---  1 caddy www-data  5638 May 30  2023 wp-cron.php
drwxrws--- 27 caddy www-data 12288 Dec  6 16:25 wp-includes
-rwxrwx---  1 caddy www-data  2502 Nov 26  2022 wp-links-opml.php
-rwxrwx---  1 caddy www-data  3927 Jul 16 13:16 wp-load.php
-rwxrwx---  1 caddy www-data 50924 Sep 29 23:01 wp-login.php
-rwxrwx---  1 caddy www-data  8525 Sep 16 07:50 wp-mail.php
-rwxrwx---  1 caddy www-data 26409 Oct 10 15:05 wp-settings.php
-rwxrwx---  1 caddy www-data 34385 Jun 19  2023 wp-signup.php
-rwxrwx---  1 caddy www-data  4885 Jun 22  2023 wp-trackback.php
-rwxrwx---  1 caddy www-data  3154 Sep 30 08:39 xmlrpc.php
$ sudo systemctl restart caddy

Whitestrake · January 1, 2024, 11:15pm

I think the issue is that Caddy can’t stat /var/www/wordpress because neither caddy nor www-data have search permission (x bit) for the /var/www directory.

In order to list files or access inodes inside a directory (i.e. for /var/www/wordpress) you must have execute permission for the parent directory.

/var/www appears to be owned by root:root. You probably want that to be :www-data at least, or maybe world-execute (chmod w+x).

I also note you have owner- and group-execute on all the files. None of these files need to be executable, only the directories; the web server and PHP process don’t execute them, they only need to read them. As a clean-up once you’ve got things working I’d be looking at running o-x,g-x on all files.

enduring123 · January 1, 2024, 11:23pm

THANK YOU!!

This didn’t work:
$ sudo chown -R :www-data /var/www

This did:
$ sudo chown -R caddy:www-data /var/www

I then ran sudo chmod -R o-x /var/www and sudo chmod -R g-x /var/www as per your suggestion.

sudo ls -al /var/www/wordpress now outputs:

total 236
drwxrwS---  5 caddy www-data  4096 Jan  1 17:55 .
drwxr-----  3 caddy www-data  4096 Jan  1 17:32 ..
-rwxrw----  1 caddy www-data   405 Feb  6  2020 index.php
-rwxrw----  1 caddy www-data 19915 Jan  1  2023 license.txt
-rwxrw----  1 caddy www-data  7399 Jul  5 18:41 readme.html
-rwxrw----  1 caddy www-data  7211 May 12  2023 wp-activate.php
drwxrwS---  9 caddy www-data  4096 Dec  6 16:25 wp-admin
-rwxrw----  1 caddy www-data   351 Feb  6  2020 wp-blog-header.php
-rwxrw----  1 caddy www-data  2323 Jun 14  2023 wp-comments-post.php
-rwxrw----  1 caddy www-data  3013 Nov 15 17:47 wp-config-sample.php
drwxrwS---  4 caddy www-data  4096 Jan  1 23:18 wp-content
-rwxrw----  1 caddy www-data  5638 May 30  2023 wp-cron.php
drwxrwS--- 27 caddy www-data 12288 Dec  6 16:25 wp-includes
-rwxrw----  1 caddy www-data  2502 Nov 26  2022 wp-links-opml.php
-rwxrw----  1 caddy www-data  3927 Jul 16 13:16 wp-load.php
-rwxrw----  1 caddy www-data 50924 Sep 29 23:01 wp-login.php
-rwxrw----  1 caddy www-data  8525 Sep 16 07:50 wp-mail.php
-rwxrw----  1 caddy www-data 26409 Oct 10 15:05 wp-settings.php
-rwxrw----  1 caddy www-data 34385 Jun 19  2023 wp-signup.php
-rwxrw----  1 caddy www-data  4885 Jun 22  2023 wp-trackback.php
-rwxrw----  1 caddy www-data  3154 Sep 30 08:39 xmlrpc.php

Does that look good to you?

enduring123 · January 1, 2024, 11:28pm

OK, perhaps my enthusiasm was a little premature.

The first Wordpress page loaded at https://www.gracefulart.co.uk/wp-admin/setup-config.php, and then when I clicked the “Let’s go” button to get to https://www.gracefulart.co.uk/wp-admin/setup-config.php?step=1 it then states “File not found.”

Jan 01 23:27:04 vmi1581705.contaboserver.net caddy[12160]: {"level":"debug","ts":1704151624.0393007,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"unix//run/php/php8.1-fpm.sock","duration":0.00191328,"request":{"remote_ip":"159.89.152.193","remote_port":"40460","client_ip":"159.89.152.193","proto":"HTTP/1.1","method":"GET","host":"www.gracefulart.co.uk","uri":"/wp-admin/setup-config.php?step=1","headers":{"Accept-Encoding":["gzip"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15"],"Accept":["text/html,*/*"],"Accept-Language":["*"],"X-Forwarded-For":["159.89.152.193"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["www.gracefulart.co.uk"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"www.gracefulart.co.uk"}},"headers":{"Status":["404 Not Found"],"Content-Type":["text/html; charset=UTF-8"]},"status":404}

Whitestrake · January 1, 2024, 11:29pm

Not quite! You’ve actually stripped all the group-execute permissions for everything, but left user-execution for everything, files included. Since the owner caddy now has directory execution but the group www-data doesn’t, PHP won’t be able to read anything.

You want directories to all be user+group executable and files not to be executable at all. You want user and group to be able to read and write.

For the directories:

sudo find /var/www/wordpress -type d -exec chmod 770 {} \;

And for the files:

sudo find /var/www/wordpress -type f -exec chmod 660 {} \;

You also didn’t need to set the user ownership to caddy throughout the entire thing, but it shouldn’t cause any problems because we’re trying to get everything to work off the www-data group. If everything works, ideally it doesn’t matter in the slightest who the actual user owner is.

enduring123 · January 1, 2024, 11:35pm

OK, thank you. Permissions now sorted.

See https://www.gracefulart.co.uk/ - 404 File not found error

Whitestrake · January 1, 2024, 11:44pm

What’s ls -al look like now? And ls -al ./wp-admin?

Might be worth checking PHP-FPM config to see what user it’s running as - it should be www-data.

enduring123 · January 1, 2024, 11:51pm

/var/www/wordpress# ls -al
total 236
drwxrws---  5 caddy www-data  4096 Jan  1 17:55 .
drwxr-----  3 caddy www-data  4096 Jan  1 17:32 ..
-rw-rw----  1 caddy www-data   405 Feb  6  2020 index.php
-rw-rw----  1 caddy www-data 19915 Jan  1  2023 license.txt
-rw-rw----  1 caddy www-data  7399 Jul  5 18:41 readme.html
-rw-rw----  1 caddy www-data  7211 May 12  2023 wp-activate.php
drwxrws---  9 caddy www-data  4096 Dec  6 16:25 wp-admin
-rw-rw----  1 caddy www-data   351 Feb  6  2020 wp-blog-header.php
-rw-rw----  1 caddy www-data  2323 Jun 14  2023 wp-comments-post.php
-rw-rw----  1 caddy www-data  3013 Nov 15 17:47 wp-config-sample.php
drwxrws---  4 caddy www-data  4096 Jan  1 23:18 wp-content
-rw-rw----  1 caddy www-data  5638 May 30  2023 wp-cron.php
drwxrws--- 27 caddy www-data 12288 Dec  6 16:25 wp-includes
-rw-rw----  1 caddy www-data  2502 Nov 26  2022 wp-links-opml.php
-rw-rw----  1 caddy www-data  3927 Jul 16 13:16 wp-load.php
-rw-rw----  1 caddy www-data 50924 Sep 29 23:01 wp-login.php
-rw-rw----  1 caddy www-data  8525 Sep 16 07:50 wp-mail.php
-rw-rw----  1 caddy www-data 26409 Oct 10 15:05 wp-settings.php
-rw-rw----  1 caddy www-data 34385 Jun 19  2023 wp-signup.php
-rw-rw----  1 caddy www-data  4885 Jun 22  2023 wp-trackback.php
-rw-rw----  1 caddy www-data  3154 Sep 30 08:39 xmlrpc.php

And:

/var/www/wordpress# ls -al ./wp-admin/
total 1132
drwxrws--- 9 caddy www-data  4096 Dec  6 16:25 .
drwxrws--- 5 caddy www-data  4096 Jan  1 17:55 ..
-rw-rw---- 1 caddy www-data 19275 Dec  6 16:12 about.php
-rw-rw---- 1 caddy www-data  4942 May  7  2022 admin-ajax.php
-rw-rw---- 1 caddy www-data  2823 Jun  1  2021 admin-footer.php
-rw-rw---- 1 caddy www-data   406 Feb  6  2020 admin-functions.php
-rw-rw---- 1 caddy www-data  9032 Jun 14  2023 admin-header.php
-rw-rw---- 1 caddy www-data 12559 Jun 14  2023 admin.php
-rw-rw---- 1 caddy www-data  2047 Mar  2  2022 admin-post.php
-rw-rw---- 1 caddy www-data  4789 Sep 17 16:33 async-upload.php
-rw-rw---- 1 caddy www-data 10335 Sep 14 01:54 authorize-application.php
-rw-rw---- 1 caddy www-data 11565 Sep 14 01:54 comment.php
-rw-rw---- 1 caddy www-data  5624 Oct 17 03:02 contribute.php
-rw-rw---- 1 caddy www-data  3763 Oct 17 03:02 credits.php
drwxrws--- 3 caddy www-data  4096 Dec  6 16:25 css
-rw-rw---- 1 caddy www-data   416 Feb  6  2020 custom-background.php
-rw-rw---- 1 caddy www-data   426 Feb  6  2020 custom-header.php
-rw-rw---- 1 caddy www-data 10865 Jun 14  2023 customize.php
-rw-rw---- 1 caddy www-data 14726 Sep 17 16:33 edit-comments.php
-rw-rw---- 1 caddy www-data 29316 Sep 17 16:33 edit-form-advanced.php
-rw-rw---- 1 caddy www-data 12024 Sep 25 11:02 edit-form-blocks.php
-rw-rw---- 1 caddy www-data  8544 Feb  7  2023 edit-form-comment.php
-rw-rw---- 1 caddy www-data  6362 Sep 14 03:15 edit-link-form.php
-rw-rw---- 1 caddy www-data 19897 Sep 18 08:04 edit.php
-rw-rw---- 1 caddy www-data 10703 Sep 14 01:54 edit-tag-form.php
-rw-rw---- 1 caddy www-data 22436 Sep 17 16:33 edit-tags.php
-rw-rw---- 1 caddy www-data  7538 Sep 27 16:44 erase-personal-data.php
-rw-rw---- 1 caddy www-data  7945 Feb 23  2023 export-personal-data.php
-rw-rw---- 1 caddy www-data 11279 Sep 20 10:47 export.php
-rw-rw---- 1 caddy www-data  4537 Oct 27 21:58 freedoms.php
drwxrws--- 2 caddy www-data  4096 Dec  6 16:25 images
-rw-rw---- 1 caddy www-data  7647 Sep 17 16:33 import.php
drwxrws--- 2 caddy www-data  4096 Dec  6 16:25 includes
-rw-rw---- 1 caddy www-data  7864 Sep 14 01:54 index.php
-rw-rw---- 1 caddy www-data  6961 Nov 20  2022 install-helper.php
-rw-rw---- 1 caddy www-data 17501 Jun 25  2023 install.php
drwxrws--- 3 caddy www-data  4096 Dec  6 16:25 js
-rw-rw---- 1 caddy www-data   742 Jul 22  2021 link-add.php
-rw-rw---- 1 caddy www-data  4365 Sep 14 03:15 link-manager.php
-rw-rw---- 1 caddy www-data  2690 Jun 14  2023 link-parse-opml.php
-rw-rw---- 1 caddy www-data  2761 Sep  9 10:28 link.php
-rw-rw---- 1 caddy www-data  1700 Dec 12  2021 load-scripts.php
-rw-rw---- 1 caddy www-data  2626 Jun 23  2023 load-styles.php
drwxrws--- 2 caddy www-data  4096 Dec  6 16:25 maint
-rw-rw---- 1 caddy www-data  3261 Feb 23  2023 media-new.php
-rw-rw---- 1 caddy www-data   763 Jun 20  2023 media.php
-rw-rw---- 1 caddy www-data  3569 Sep  7 15:59 media-upload.php
-rw-rw---- 1 caddy www-data 10072 Jul  9 20:56 menu-header.php
-rw-rw---- 1 caddy www-data 17150 Sep 17 03:10 menu.php
-rw-rw---- 1 caddy www-data   307 Feb  6  2020 moderation.php
-rw-rw---- 1 caddy www-data   196 Feb  6  2020 ms-admin.php
-rw-rw---- 1 caddy www-data  4287 Nov 14  2022 ms-delete-site.php
-rw-rw---- 1 caddy www-data   216 Feb  6  2020 ms-edit.php
-rw-rw---- 1 caddy www-data   223 Feb  6  2020 ms-options.php
-rw-rw---- 1 caddy www-data   215 Feb  6  2020 ms-sites.php
-rw-rw---- 1 caddy www-data   217 Feb  6  2020 ms-themes.php
-rw-rw---- 1 caddy www-data   219 Feb  6  2020 ms-upgrade-network.php
-rw-rw---- 1 caddy www-data   215 Feb  6  2020 ms-users.php
-rw-rw---- 1 caddy www-data  4858 Sep  5 20:26 my-sites.php
-rw-rw---- 1 caddy www-data 48910 Sep 17 16:33 nav-menus.php
drwxrws--- 2 caddy www-data  4096 Dec  6 16:25 network
-rw-rw---- 1 caddy www-data  5482 Feb 23  2023 network.php
-rw-rw---- 1 caddy www-data 15951 Feb 23  2023 options-discussion.php
-rw-rw---- 1 caddy www-data 17192 Sep 25 16:36 options-general.php
-rw-rw---- 1 caddy www-data   492 Aug 16  2019 options-head.php
-rw-rw---- 1 caddy www-data  6505 Feb 23  2023 options-media.php
-rw-rw---- 1 caddy www-data 21630 May  2  2023 options-permalink.php
-rw-rw---- 1 caddy www-data 13624 Oct 17 00:51 options.php
-rw-rw---- 1 caddy www-data 10210 Sep 14 01:54 options-privacy.php
-rw-rw---- 1 caddy www-data 10314 Sep 14 01:54 options-reading.php
-rw-rw---- 1 caddy www-data  9273 Jun 22  2023 options-writing.php
-rw-rw---- 1 caddy www-data 13714 Sep 17 16:33 plugin-editor.php
-rw-rw---- 1 caddy www-data  6940 Feb 23  2023 plugin-install.php
-rw-rw---- 1 caddy www-data 29514 Sep 26 01:27 plugins.php
-rw-rw---- 1 caddy www-data  2703 May 16  2020 post-new.php
-rw-rw---- 1 caddy www-data 10088 Jun 22  2023 post.php
-rw-rw---- 1 caddy www-data  2386 Feb  6  2020 press-this.php
-rw-rw---- 1 caddy www-data  2470 Oct 17 03:02 privacy.php
-rw-rw---- 1 caddy www-data  3756 Nov 15 17:47 privacy-policy-guide.php
-rw-rw---- 1 caddy www-data   283 Feb  6  2020 profile.php
-rw-rw---- 1 caddy www-data  5600 Aug 24 10:32 revision.php
-rw-rw---- 1 caddy www-data 17742 Jun 24  2023 setup-config.php
-rw-rw---- 1 caddy www-data  6102 Sep 14 01:54 site-editor.php
-rw-rw---- 1 caddy www-data  4070 Sep 14 01:54 site-health-info.php
-rw-rw---- 1 caddy www-data 10387 Sep 14 01:54 site-health.php
-rw-rw---- 1 caddy www-data  2249 Jun  1  2022 term.php
-rw-rw---- 1 caddy www-data 15513 Nov  8 20:10 theme-editor.php
-rw-rw---- 1 caddy www-data 23911 Sep 17 16:33 theme-install.php
-rw-rw---- 1 caddy www-data 48015 Oct  8 18:56 themes.php
-rw-rw---- 1 caddy www-data  3514 Feb 23  2023 tools.php
-rw-rw---- 1 caddy www-data 46285 Sep 22 20:58 update-core.php
-rw-rw---- 1 caddy www-data 12724 Apr  9  2023 update.php
-rw-rw---- 1 caddy www-data   341 Feb  6  2020 upgrade-functions.php
-rw-rw---- 1 caddy www-data  5688 Aug 25 06:44 upgrade.php
-rw-rw---- 1 caddy www-data 15198 Sep 22 19:19 upload.php
drwxrws--- 2 caddy www-data  4096 Dec  6 16:25 user
-rw-rw---- 1 caddy www-data 40005 Oct  7 14:55 user-edit.php
-rw-rw---- 1 caddy www-data 24561 Sep 17 16:33 user-new.php
-rw-rw---- 1 caddy www-data 23847 Oct 15 15:04 users.php
-rw-rw---- 1 caddy www-data  4500 Sep 25 01:00 widgets-form-blocks.php
-rw-rw---- 1 caddy www-data 19635 Sep 14 03:15 widgets-form.php
-rw-rw---- 1 caddy www-data  1112 Mar 22  2022 widgets.php

Yes - it looks like PHP-FPM config is the issue here - see below:

$ ls -al /etc/php/8.1/fpm/php-fpm.conf
-rw-r--r-- 1 root root 5457 Aug 18 12:41 /etc/php/8.1/fpm/php-fpm.conf

Is it a case of doing a sudo chown www-data:www-data /etc/php/8.1/fpm/php-fpm.conf?

Whitestrake · January 1, 2024, 11:52pm

No, ownership of the PHP-FPM config file doesn’t matter. I believe it reads it as root and then spawns workers as the configured user/group.

You’ll want to cat that file and see what the user and group options are set to.

enduring123 · January 2, 2024, 12:00am

Thanks for your patience with all this!

Here’s the cat output:

$ cat /etc/php/8.1/fpm/php-fpm.conf
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; All relative paths in this configuration file are relative to PHP's install
; prefix (/usr). This prefix can be dynamically changed by using the
; '-p' argument from the command line.

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]
; Pid file
; Note: the default prefix is /var
; Default Value: none
; Warning: if you change the value here, you need to modify systemd
; service PIDFile= setting to match the value here.
pid = /run/php/php8.1-fpm.pid

; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; into a local file.
; Note: the default prefix is /var
; Default Value: log/php-fpm.log
error_log = /var/log/php8.1-fpm.log

; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
;syslog.facility = daemon

; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
;syslog.ident = php-fpm

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = notice

; Log limit on number of characters in the single line (log entry). If the
; line is over the limit, it is wrapped on multiple lines. The limit is for
; all logged characters including message prefix and suffix if present. However
; the new line character does not count into it as it is present only when
; logging to a file descriptor. It means the new line character is not present
; when logging to syslog.
; Default Value: 1024
;log_limit = 4096

; Log buffering specifies if the log line is buffered which means that the
; line is written in a single write operation. If the value is false, then the
; data is written directly into the file descriptor. It is an experimental
; option that can potentially improve logging performance and memory usage
; for some heavy logging scenarios. This option is ignored if logging to syslog
; as it has to be always buffered.
; Default value: yes
;log_buffering = no

; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
;emergency_restart_threshold = 0

; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated.  This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;emergency_restart_interval = 0

; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;process_control_timeout = 0

; The maximum number of processes FPM will fork. This has been designed to control
; the global number of processes when using dynamic PM within a lot of pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
; process.max = 128

; Specify the nice(2) priority to apply to the master process (only if set)
; The value can vary from -19 (highest priority) to 20 (lowest priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool process will inherit the master process priority
;         unless specified otherwise
; Default Value: no set
; process.priority = -19

; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
;daemonize = yes

; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit for the master process.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Specify the event mechanism FPM will use. The following is available:
; - select     (any POSIX os)
; - poll       (any POSIX os)
; - epoll      (linux >= 2.5.44)
; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
; - /dev/poll  (Solaris >= 7)
; - port       (Solaris >= 10)
; Default Value: not set (auto detection)
;events.mechanism = epoll

; When FPM is built with systemd integration, specify the interval,
; in seconds, between health report notification to systemd.
; Set to 0 to disable.
; Available Units: s(econds), m(inutes), h(ours)
; Default Unit: seconds
; Default value: 10
;systemd_interval = 10

;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;

; Multiple pools of child processes may be started with different listening
; ports and different management options.  The name of the pool will be
; used in logs and stats. There is no limitation on the number of pools which
; FPM can handle. Your system will tell you anyway :)

; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
; Relative path can also be used. They will be prefixed by:
;  - the global prefix if it's been set (-p argument)
;  - /usr otherwise
include=/etc/php/8.1/fpm/pool.d/*.conf

If I’ve understood this correctly - and there’s every possibility I haven’t - the PID is of interest to us. The output for the /run/php/php8.1-fpm.pid file is 603.

Any further guidance would be greatly appreciated

Whitestrake · January 2, 2024, 12:03am

Try: grep 'user\|group' /etc/php/8.1/fpm/pool.d/*.conf

We don’t particularly care about the process ID - it’s just a number used to keep track of a specific process in particular, and doesn’t tell us much about the parameters under which that process is running.