1. The problem I’m having:
According to the WordPress hardening guide, auto-updates write all files with 0644 permissions and all directories are set to 0755.
I was previously guided to use 660 and 770 respectively in this thread so that Caddy (which is the www-data group) can read the WordPress content. This was part of the solution that solved 403 errors.
I now fear that when WordPress auto-updates, that 403 errors will re-emerge and I’ll have to SSH into the server every time to run the chmod commands. Is my fear unfounded, or is there a fix (such as editing the caddy systemd service to use the www-data user)?
2. Error messages and/or full log output:
$ ls -al /var/www/gracefulart/wordpress
total 244
drwxrwx--- 5 www-data www-data 4096 Jan 4 08:17 .
drwxrws--- 4 www-data www-data 4096 Jan 2 14:45 ..
-rw-rw---- 1 www-data www-data 405 Feb 6 2020 index.php
-rw-rw---- 1 www-data www-data 19915 Jan 1 2023 license.txt
-rw-rw---- 1 www-data www-data 7399 Jul 5 2023 readme.html
-rw-rw---- 1 www-data www-data 132 Jan 2 15:19 .user.ini
-rw-rw---- 1 www-data www-data 7211 May 12 2023 wp-activate.php
drwxrwx--- 9 www-data www-data 4096 Dec 6 16:25 wp-admin
-rw-rw---- 1 www-data www-data 351 Feb 6 2020 wp-blog-header.php
-rw-rw---- 1 www-data www-data 2323 Jun 14 2023 wp-comments-post.php
-r--r----- 1 www-data www-data 3656 Jan 2 16:15 wp-config.php
-rw-rw---- 1 www-data www-data 3013 Nov 15 17:47 wp-config-sample.php
drwxrwx--- 9 www-data www-data 4096 Jan 4 10:56 wp-content
-rw-rw---- 1 www-data www-data 5638 May 30 2023 wp-cron.php
drwxrwx--- 27 www-data www-data 12288 Dec 6 16:25 wp-includes
-rw-rw---- 1 www-data www-data 2502 Nov 26 2022 wp-links-opml.php
-rw-rw---- 1 www-data www-data 3927 Jul 16 13:16 wp-load.php
-rw-rw---- 1 www-data www-data 50924 Sep 29 23:01 wp-login.php
-rw-rw---- 1 www-data www-data 8525 Sep 16 07:50 wp-mail.php
-rw-rw---- 1 www-data www-data 26409 Oct 10 15:05 wp-settings.php
-rw-rw---- 1 www-data www-data 34385 Jun 19 2023 wp-signup.php
-rw-rw---- 1 www-data www-data 4885 Jun 22 2023 wp-trackback.php
-rw-rw---- 1 www-data www-data 3154 Sep 30 08:39 xmlrpc.php
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
a. System environment:
Ubuntu 22.04.3. Running Caddy on bare metal.
b. Command:
sudo systemctl restart caddy
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
n/a