Prevent ACL modification by PHP-FPM? (WordPress)

[et.fz]

Hi,

I have a server with shared web hosting. Each user's served files are owned by themselves, and each use has their own PHP-FPM pool. Apache has read permissions via ACL.

drwxr-x---+ 5 user1  user1  25 Mar 20 09:30 public/

# file: public
# owner: user1
# group: user1
         group:www:r-x-----------:-------:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

WordPress will sometimes, such as when installing certain plugins, undo the ACL, rendering the site unreadable by Apache, and therefore non functional. Is there a way I can prevent this from happening, while retaining currently effective permissions?

 

[Kai Burghardt]

Assuming you are using ZFS, what is the value of the aclmode zfsprops(7)? NFSv4 ACLs can be inherited from their parent directory. Inheritance takes place when creating new files (e. g. plugin installation).​

setfacl -a 0 group:www:execute:dir_inherit:allow public # path traversal
setfacl -a 0 group:www:read_data:file_inherit:allow $_  # directory listing, file inspection

Ensure the aclinherit zfsprops(7) does not prevent inheritance. Choose the right parent directory: probably WordPress performs a rename(2) when wrapping up installation.​

 

[et.fz]

Sorry, I now realise that I provided wholly inadequate and partially misleading information.

So public is the document root and has permissions as previously mentioned, but everything inside simply has 755/644, no ACL. I don't remember why it was done this way, but that's beside the point for now. WordPress removes the ACL from the public directory. I rectify the problem using setfacl -m group:www:rx::allow public.

aclmode and aclinherit is discard and restricted, respectively.