# how (why!) is wordpress running as root ?

## Gentree

Hi,

yes we all know WP is a crock of shit , a huge security risk and the emerge finishes with a big fat warning to that effect, but HOW and why is it managing to run as root ?!

```
bash-4.2#cd wordpress

bash-4.2#ls -ail

total 259

74676 drwxr-xr-x 5 root   root       26 Feb 20 11:55 .

   42 drwxr-xr-x 9 joey   users      79 Feb 20 08:54 ..

75690 -rw-rw-r-- 1 apache apache    397 Feb 20 08:54 index.php

75708 -rw------- 1 root   root      331 Feb 20 08:54 .webapp

75709 -rw------- 1 root   root   101358 Feb 20 08:54 .webapp-wordpress-3.3.1

75691 -rw-r--r-- 1 root   root     4268 Feb 20 08:54 wp-activate.php

74677 drwxr-xr-x 9 root   root       90 Feb 20 08:54 wp-admin

75692 -rw-r--r-- 1 root   root    40272 Feb 20 08:54 wp-app.php

75693 -rw-r--r-- 1 root   root      274 Feb 20 08:54 wp-blog-header.php
```

all my htdocs space is owned by a limited account joey:users

Now as I understood it WP is a just a bunch of PHP scripts running inside my web server, lighttpd on this box, that is running under an account called apache.

So HOW does WP manage to create all these file structures with root ownership?

While we're about it, why do I find a file with the WP username AND PASSWORD  in clear text in file , in a stardardised location within the publicly accessible webspace:

/var/www/localhost/htdocs/wordpress/wp-config.php 

I mean, knowing it is there I can open it with Firefox and view source to find out the login details to a program that apparently had root access to my main file systems.   :Shocked:   :Shocked:   :Shocked: 

I mean that's not a security "risk" it's an open invitation. That's like leaving your car keys on the roof of the car and hoping nobody steals it! 

Now please reassure me that I'm mistaken 

TIA, Gentree.   :Cool: 

----------

## Gentree

please note the real question here is 

 *Quote:*   

> HOW and why is it managing to run as root ?! 

 

How can a script , however badly written, be gaining root privilege from within firefox ?

 :Confused: 

----------

## PaulBredbury

A little check of the user & group of lighttpd:

```
ps -eo pid,tid,pri,rtprio,nice,policy,ruser,rgroup,comm,args | grep lightt
```

----------

## Gentree

/etc/lighttpd/lighttpd.conf

```
# {{{ server settings

server.username      = "lighttpd"

server.groupname     = "lighttpd"

```

```
ps -eo pid,tid,pri,rtprio,nice,policy,ruser,rgroup,comm,args | grep lightt

15899 15899  19      -   0 TS  lighttpd lighttpd lighttpd        /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

15901 15901  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi

15902 15902  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi

15903 15903  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi

15904 15904  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi

15909 15909  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi

15910 15910  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi

15912 15912  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi

21735 21735  19      -   0 TS  lighttpd lighttpd php-cgi         /usr/bin/php-cgi
```

lighttpd is 1024

Thx

----------

## j4miel

Even though the files are owned as root, they certainly don't run as root. They will run with the privileges of the PHP process which executes them and this should not be root. If it is, you have a misconfigured php-fcgi or php-fpm (whichever you run for PHP within lighttpd). Those files are only owned by root as  they were created during your emerge of wordpress which you probably ran as root.

Also, if you can browse to wp-config.php and see the password - that probably means you don't have PHP running at all otherwise wp-config.php would be interpreted not printed to your browser. Now, I don't agree with Wordpress's directory structure but it certainly isn't a security risk to have wp-config.php there unless you have a misconfigured PHP or PHP barfs and fails to interpret the file.

----------

## Gentree

 *j4miel wrote:*   

>  Those files are only owned by root as  they were created during your emerge of wordpress which you probably ran as root.

 

Ah , that's probably what I was misinterpreting. I thought they were created by WP itself. I'll have to check.

It's perhaps more likely that they are created by wordpress post installation config which, in the absence to any instructions that this was not necessary and insecure I did immediately after emerge using the instructions posted at the end of emerge, ie as ROOT.

If that should be done as a non root user, it would be a damn good idea to say so in the line giving the command to execute  :Wink: 

 *Quote:*   

> 
> 
> Also, if you can browse to wp-config.php and see the password - that probably means you don't have PHP running at all otherwise wp-config.php would be interpreted not printed to your browser. Now, I don't agree with Wordpress's directory structure but it certainly isn't a security risk to have wp-config.php there unless you have a misconfigured PHP or PHP barfs and fails to interpret the file.

 

Unless PHP barfs or some future bug or exploit trips it up ... unless ... Security policy is not based on putting unencrypted passwords in clear text in the publicly accessible part of a web server, protected by nothing cleverer than the fact the file name ends in ".php"    :Rolling Eyes: 

I think I must have opened the file directly with File|Open in Firefox , rather than as http://localhost ... You are correct the php source should not be visible.

I'll look into that config issue a bit deeper. 

Thanks for you help.

 :Cool: 

----------

## j4miel

 *Quote:*   

> Security policy is not based on putting unencrypted passwords in clear text in the publicly accessible part of a web server, protected by nothing cleverer than the fact the file name ends in ".php"

 

I agree that there are certainly better places for it, but the reason Wordpress has done this is that they need to support millions of installations many of which are by people who only have shared hosting and can only upload all these files to their docroot because they don't have shell access.

If you mean why doesn't Gentoo move this for us because we use the most awesome secure distro on the planet, it is worth a conversation.

----------

