# help with chmod and setuid bit on folders



## razixx (May 11, 2012)

Hi guys, here's my problem:

I've got a web server serving up wordpress files in the folder /var/www/somesite.net/. I've set the suid bit on the folder wp-content for both user and group but when I *touch* the file with a test user, it assumes the ownership of 'test'.


```
$ uname -r
9.0-RELEASE

$ ls -l
total 312
-rw-r--r--  1 root   www  88403 May 11 13:50 access_log
-rw-r--r--  1 root   www  15267 May 11 13:49 error_log
-rw-r--r--  1 chris  www    397 May 11 13:16 index.php
-rw-r--r--  1 chris  www  16899 May 11 13:16 license.txt
-rw-r--r--  1 chris  www   9202 May 11 13:16 readme.html
-rw-r--r--  1 chris  www   4268 May 11 13:16 wp-activate.php
drwxr-xr-x  9 chris  www   2560 May 11 13:16 wp-admin
-rw-r--r--  1 chris  www  40272 May 11 13:16 wp-app.php
-rw-r--r--  1 chris  www    274 May 11 13:16 wp-blog-header.php
-rw-r--r--  1 chris  www   3989 May 11 13:16 wp-comments-post.php
-rw-r--r--  1 chris  www   3177 May 11 13:16 wp-config-sample.php
-rw-r-----  1 chris  www   3470 May 11 13:17 wp-config.php
[b]drwsrwsr-x  5 chris  www    512 May 11 13:49 wp-content[/b]

$ cd wp-content/
$ ls
index.php       plugins         themes          upgrade
$ touch test
$ ls -l
total 16
-rw-rw-r--  1 chris  www   30 May 11 13:16 index.php
drwxrwxr-x  3 chris  www  512 May 11 13:46 plugins
-rw-r--r--  1 test   www    0 May 11 14:08 test
drwxrwxr-x  6 chris  www  512 May 11 13:49 themes
drwxr-xr-x  2 www    www  512 May 11 13:49 upgrade
```
As you can see, with setuid set on wp-content the file created inside doesn't inherit ownership.  The same thing happens when Apache creates files as well.

Am I missing something?


----------



## kpa (May 11, 2012)

As far as I know the setuid bit on directories works only on group. It sounds like a potential security hole to me if you could create a file and make it automatically owned by someone else.


----------



## razixx (May 12, 2012)

Hmmmmm.... I never really thought of it that way, it makes sense. Maybe I should be reversing the owner and group then?  I guess my thought process when setting this up was trying to limit user 'www' with read only access and give myself rw rights limiting damage if apache was ever compromised (I will have other virtualhosts installed).

What would you guys consider best practice when it comes to file permissions on a one person setup?


----------

