coop-cloud/wordpress
8
0
Fork 3
Code Issues 16 Pull Requests 3 Releases Wiki Activity

Added xtra chown to ensure correct perms on every container start #57

Merged
moritz merged 2 commits from kawaiipunk/wordpress:main into main 2026-05-26 17:10:06 +00:00
Conversation 1 Commits 2 Files Changed 1 +2 -1
kawaiipunk commented 2026-05-26 13:12:26 +00:00
Owner
Copy Link

Fixes #56

The Bug

The chown www-data:www-data is applied only to the .htaccess file, and only inside the if block (i.e., only on first run when .htaccess doesn't exist yet). The uploads/ directory itself — created by mkdir -p — is never chowned. It stays root:root.

Additionally, on subsequent deploys where .htaccess already exists, the entire if block is skipped, so no chown happens at all.

The Fix

Add a chown on the uploads/ directory outside the if block, so it runs on every startup:

UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
if [ ! -f "$UPLOADS_HTACCESS" ]; then
  mkdir -p /var/www/html/wp-content/uploads
  cat > "$UPLOADS_HTACCESS" <<'EOF'
# Prevent PHP execution in uploads directory
<<FilesMatch "\.(?i:php|phtml|phar)$">
Require all denied
</FilesMatch>
EOF
  chown www-data:www-data "$UPLOADS_HTACCESS"
fi

chown -R www-data:www-data /var/www/html/wp-content/uploads/

The added line chown -R www-data:www-data /var/www/html/wp-content/uploads/ ensures that:

  1. The uploads/ directory itself is owned by www-data (not just the .htaccess inside it)
  2. It runs on every container start, not just the first time
  3. The -R flag covers any files/subdirectories that may have been created as root (e.g., by backup restores or other processes)

This is safe to run repeatedly — chown on already-correct ownership is a no-op, and the uploads/ directory is typically small enough that the recursive operation is negligible.

Fixes https://git.coopcloud.tech/coop-cloud/wordpress/issues/56 ## The Bug The `chown www-data:www-data` is applied **only to the `.htaccess` file**, and **only inside the `if` block** (i.e., only on first run when `.htaccess` doesn't exist yet). The `uploads/` directory itself — created by `mkdir -p` — is never chowned. It stays `root:root`. Additionally, on subsequent deploys where `.htaccess` already exists, the entire `if` block is skipped, so no chown happens at all. ## The Fix Add a `chown` on the `uploads/` directory **outside** the `if` block, so it runs on every startup: ```bash UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess if [ ! -f "$UPLOADS_HTACCESS" ]; then mkdir -p /var/www/html/wp-content/uploads cat > "$UPLOADS_HTACCESS" <<'EOF' # Prevent PHP execution in uploads directory <<FilesMatch "\.(?i:php|phtml|phar)$"> Require all denied </FilesMatch> EOF chown www-data:www-data "$UPLOADS_HTACCESS" fi chown -R www-data:www-data /var/www/html/wp-content/uploads/ ``` The added line `chown -R www-data:www-data /var/www/html/wp-content/uploads/` ensures that: 1. The `uploads/` directory itself is owned by `www-data` (not just the `.htaccess` inside it) 2. It runs on **every** container start, not just the first time 3. The `-R` flag covers any files/subdirectories that may have been created as `root` (e.g., by backup restores or other processes) This is safe to run repeatedly — `chown` on already-correct ownership is a no-op, and the `uploads/` directory is typically small enough that the recursive operation is negligible.
kawaiipunk added 1 commit 2026-05-26 13:12:27 +00:00
Added xtra chown to ensure correct perms on every container start
Some checks failed
continuous-integration/drone/pr Build is failing
Details
73a2e98d2e
moritz approved these changes 2026-05-26 14:35:45 +00:00
moritz left a comment
Owner
Copy Link

Sorry for introducing this bug and thank you for fixing it.

Sorry for introducing this bug and thank you for fixing it.
entrypoint.sh.tmpl
@ -55,6 +55,8 @@ EOF
chown www-data:www-data "$UPLOADS_HTACCESS"
moritz commented 2026-05-26 14:33:53 +00:00
Owner
Copy Link

Maybe this line can be deleted, because it's redundant with chown -R on /var/www/html/wp-content/uploads/

Maybe this line can be deleted, because it's redundant with `chown -R` on `/var/www/html/wp-content/uploads/`
kawaiipunk commented 2026-05-26 16:06:38 +00:00
Author
Owner
Copy Link

You're right! Just done that.

You're right! Just done that.
kawaiipunk marked this conversation as resolved
kawaiipunk added 1 commit 2026-05-26 16:06:12 +00:00
Removed redundant chown
Some checks failed
continuous-integration/drone/pr Build is failing
Details
66e0687456
kawaiipunk requested review from moritz 2026-05-26 16:11:45 +00:00
moritz merged commit 7e170adbb4 into main 2026-05-26 17:10:06 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
moritz
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
3wordchant aadil abra-bot ammaratef45 amras Apfelwurm appletalk arjan basebuilder BornDeleuze Brooke carla cas codegod100 coopcloud cyrnel decentral1se dede devydave fauno flancian Frando iexos jade javielico jjsfunhouse jmakdah2 joe-irving kawaiipunk knoflook kolaente lambdabundesverband linnealovespie marlon mayel mirsal moosemower moritz nicksellen notplants oxaliq p4u1 pau pharaohgraphy PhiNatalie renovate-bot ripclap rix rscmbbng sef simon sixsmith stevensting tobias trav val vaznasty virtualboys wolcen wykwit xynosis yksflip
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coop-cloud/wordpress#57
No description provided.
Delete Branch "kawaiipunk/wordpress:main"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?