WordPress Fortification Issue

linverts · August 25, 2024, 6:06pm

I have toggled all plugins off and the warning goes away. It happens when I enable Spectra and/or Astra’s Starter Templates plugin.

Fortification is set to MIN, setting to MAX the site won’t load.

wp-admin/includes/class-wp-filesystem-direct.php:173
chmod()
wp-admin/includes/class-wp-filesystem-direct.php:173
WP_Filesystem_Direct->chmod()
wp-admin/includes/class-wp-filesystem-direct.php:86
WP_Filesystem_Direct->put_contents()
wp-content/plugins/astra-sites/inc/lib/gutenberg-templates/inc/classes/ast-block-templates-notices.php:32
Gutenberg_Templates\I\C\Ast_Block_Templates_Notices->has_file_read_write()
wp-content/plugins/astra-sites/inc/lib/gutenberg-templates/ast-block-plugin-loader.php:106
Gutenberg_Templates\Ast_Block_Plugin_Loader->load_classes()
wp-includes/class-wp-hook.php:324
do_action('wp_loaded')
wp-settings.php:722

Releasing Fortification fixes it but I would like to tune it so I can keep Fortification on MIN or preferable MAX.

MIN should give it write access to wp-content/plugins so I am confused as to why it keeps generating a warning.

Any tips of what to do?

msaladna · August 25, 2024, 8:15pm

This occurs whenever a chmod() operation is performed on a file not owned by the user. In Fortification mode, PHP runs as user “apache”. Removing the file would allow WordPress to create it with proper ownership (user: apache). What’s likely happening is the file is truncated in place, then contents written, which retains the same owner (account owner).

In this situation, I’d delete these files it’s writing to - cache most likely - to let your WordPress theme regenerate with apache ownership so chmod succeeds.

linverts · August 26, 2024, 6:42pm

I am not finding any cache files other than some css and js assets. I tried rebuilding with no success. I tried removing acl permissions using “setfacl -b -R /home/virtual/site1/fst/var/www/html” and then re-enabled Fortification. Any other thoughts of diag output you need to help me figure this out? I also tried on a different site and it seems that using Spectra and/or Astra Starter Template’s plugin causes this.

linverts · August 26, 2024, 6:49pm

I also tried creating a manifest with base of wordpress and placing the wp-content/plugins folder as a test. When activating the fortification for “WPCUSTOM” as I called it the page breaks completely. It’s like it’s not pulling the base wordpress permissions unless I need to manually add the MIN or MAX folders. Where can I find the template for wordpress fortification?

linverts · August 26, 2024, 6:58pm

According to https://wpspectra.com/docs/update-spectra-file-permissions/ I don’t see that it writes anywhere else. I checked the permissions as below and all looks good to me?

/home/linverts/mainwebsite_html/wp-content/uploads/ast-block-templates-json
[linverts@lin1 ast-block-templates-json]$ ls -la
total 13652
drwxrwxr-x+  2 linverts linverts    4096 Aug 23 10:05 .
drwxrwxr-x+ 12 linverts linverts     179 Jun 28 11:31 ..
-rw-rwxr--+  1 linverts linverts       1 Aug 23 17:58 ast-block-templates-block-requests.json
-rw-rwxr--+  1 linverts linverts 1295598 Aug 23 17:58 ast-block-templates-blocks-1.json
-rw-rwxr--+  1 linverts linverts 4339179 Aug 23 17:58 ast-block-templates-blocks-2.json
-rw-rwxr--+  1 linverts linverts 2010957 Aug 23 17:58 ast-block-templates-blocks-3.json
-rw-rwxr--+  1 linverts linverts 1105190 Aug 23 17:58 ast-block-templates-blocks-4.json
-rw-rwxr--+  1 linverts linverts  717445 Aug 23 17:58 ast-block-templates-blocks-5.json
-rw-rwxr--+  1 linverts linverts 1885764 Aug 23 17:58 ast-block-templates-blocks-6.json
-rw-rwxr--+  1 linverts linverts  882943 Aug 23 17:58 ast-block-templates-blocks-7.json
-rw-rwxr--+  1 linverts linverts    2086 Aug 23 17:58 ast-block-templates-categories.json
-rw-rwxr--+  1 linverts linverts   30834 Aug 23 17:58 ast-block-templates-customizer-css.json
-rw-rwxr--+  1 linverts linverts      14 Aug 23 17:58 ast-block-templates-last-export-checksums.json
-rw-rwxr--+  1 linverts linverts       2 Aug 23 17:58 ast-block-templates-site-requests.json
-rw-rwxr--+  1 linverts linverts   55959 Aug 23 17:58 ast-block-templates-sites-10.json
-rw-rwxr--+  1 linverts linverts       2 Aug 23 17:58 ast-block-templates-sites-11.json
-rw-rwxr--+  1 linverts linverts  157263 Aug 23 17:58 ast-block-templates-sites-1.json
-rw-rwxr--+  1 linverts linverts  140726 Aug 23 17:58 ast-block-templates-sites-2.json
-rw-rwxr--+  1 linverts linverts  151467 Aug 23 17:58 ast-block-templates-sites-3.json
-rw-rwxr--+  1 linverts linverts  146472 Aug 23 17:58 ast-block-templates-sites-4.json
-rw-rwxr--+  1 linverts linverts  148941 Aug 23 17:58 ast-block-templates-sites-5.json
-rw-rwxr--+  1 linverts linverts  151376 Aug 23 17:58 ast-block-templates-sites-6.json
-rw-rwxr--+  1 linverts linverts  144907 Aug 23 17:58 ast-block-templates-sites-7.json
-rw-rwxr--+  1 linverts linverts  140657 Aug 23 17:58 ast-block-templates-sites-8.json
-rw-rwxr--+  1 linverts linverts  154425 Aug 23 17:58 ast-block-templates-sites-9.json
-rw-rwxr--+  1 linverts linverts  256288 Aug 23 10:05 ast-block-templates-spectra-common-styles.json
-rw-rwxr--+  1 linverts linverts       0 Aug 26 14:53 index.html

The ACLs are as follows:

[linverts@lin1 ast-block-templates-json]$ pwd
/home/linverts/mainwebsite_html/wp-content/uploads/ast-block-templates-json
[linverts@lin1 ast-block-templates-json]$ getfacl *
# file: ast-block-templates-block-requests.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-blocks-1.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-blocks-2.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-blocks-3.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-blocks-4.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-blocks-5.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-blocks-6.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-blocks-7.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-categories.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-customizer-css.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-last-export-checksums.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-site-requests.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-10.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-11.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-1.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-2.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-3.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-4.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-5.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-6.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-7.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-8.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-sites-9.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: ast-block-templates-spectra-common-styles.json
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

# file: index.html
# owner: linverts
# group: linverts
user::rw-
user:apache:rwx
user:linverts:rwx
group::r--
mask::rwx
other::r--

msaladna · August 26, 2024, 11:23pm

Remove those files, then let PHP generate them. This will allow chmod to succeed as the file owner will now be apache. This should clear it up?

linverts · August 30, 2024, 11:52pm

I finally gave up, it was something to do with Astra and Spectra. You can literally create a new WP install, install the plugin, enable and it breaks. Either way ditching those fixed it. I just didn’t have the time to keep working on it.