Why do I sometimes not have permission to delete files on my own account?

Websavers Inc
Fast CGI logo

We are asked this question quite regularly and although we have a knowledgebase article outlining how to fix the problem within Plesk, I felt it would be beneficial for many of you to know why it occurs.

Your website is served under the ‘apache’ user account for all web content, including html and php. Whenever you use a PHP application, whether custom built or an existing application like WordPress, that application also runs as the apache user. Because of this, files uploaded through your application will be owned by apache and no other users have the ability to edit them. On a shared server, this is good security practice since you don’t want other people hosted on the same server to be able to edit your files – including during potential attacks on your site.

When you upload content via FTP you use your personally selected username and password combination. The username you selected also becomes the owner of the files you upload. Similarly, when you attempt to delete files uploaded through an application like WordPress, since they are not owned by your account, you are unable to delete them. The apache user has control over the files.

Although you could get the root user to change the ownership or permissions of the files to allow your account access, this requires creating a support ticket every time you run into the problem. Rather than fixing the problem reactively, we suggest fixing it proactively; ensure that files uploaded through WordPress are already owned by your personal user account rather than apache.

How do you do this? FastCGI!

This is how Fast CGI looks in Plesk

Within Plesk under Web Hosting Settings, there is an option to run PHP through FastCGI. By changing this setting from Apache Module to FastCGI, you are changing the user that PHP files are accessed with.

Since all of your PHP files will be executed by your own personal username, all files uploaded through your PHP application will also be owned by your user account. No more apache account in the mix and no more non-deletable files!

One additional benefit is that your files are not owned by the apache user any longer. You might remember that it was beneficial, for security reasons, to have your files not writable by users other than apache, but that only applies when you are forced to upload them under that user account. Since the apache user would be the same for all files uploaded across all websites hosted on the same server, if that account were hacked, then the hacker would have access to all files created by it (if they knew where to look). Now that your files are being uploaded under your personal user account, no other website can affect the security of your own files (assuming permissions are also set appropriately – ie: no ‘777’).

If you have any questions about this process or believe some of information provided here could be clearer, please contact us with your suggestions – we would love to hear from you!

Posted in

Jordan Schelew

Jordan has been working with computers, security, and network systems since the 90s and is a managing partner at Websavers Inc. As a founder of the company, he's been in the web tech space for over 15 years.
WS-Logo-only-image-large

About Websavers

Websavers provides web services like Canadian WordPress Hosting and VPS Hosting to customers all over the globe, from hometown Halifax, CA to Auckland, NZ.

If this article helped you, our web services surely will as well! We might just be the perfect fit for you.

Leave a Comment