Automating svn updates from a server-side cron job

I am running WordPress on Ubuntu with Apache and MySQL. I would like to automatically install minor and security updates to WordPress.

However, as I understand it, the standard auto-update mechanism (see also How exactly do automatic updates work?) is ultimately fired off by a web request, meaning that the update process runs as the apache user (for me it's www-data). So the www-data user has to have permissions to write to WordPress's php files. This makes me uncomfortable - it could let an attacker escalate a "create files" vulnerability to "execute arbitrary code". I would rather keep the WordPress php files and directory owned by someone other than www-data, and leave them read-only to www-data. Thus I would rather not use the standard mechanism.

The only alternative I know of is to run svn sw as documented here. But this requires running a command including the desired new version. So I can't put it in a cron job, since I don't know how the cron job would figure out what the new version number is, without manual intervention. I could create some sort of hack which tries to scrape the latest version number from wordpress.org, but that seems very fragile. Is there a better way, or an existing script I could just use?

Also, the last step in an svn update is to visit wp-admin/config.php with a web browser, logging in as needed. Is there a straightforward way to perform that automatically from a cron job on the server, ideally without hardcoding my admin password into a script?

Topic svn server automatic-updates updates Wordpress

Category Web

1
answered at

I would rather keep the WordPress php files and directory owned by someone other than www-data, and leave them read-only to www-data

Well, why not? Just do it, but after it subscribe by hand to any (from at least two) channel of "Release Notification" (low activity, еasily controlled even by the eyes): mail list or RSS-channel on official site for category "Releases". With these notification you can:

  • login to host with site
  • return permssions|ownership
  • perform "classic" WP-update
  • rollback ownership|persmissions to "strict RO" state
  • Be happy until next release will be releasd

From other side, you can get some automation around ML-messages|Feeds and, having SVN-controlled WP blog, run subversion's update not in cron (wasted time and resources in 99% runs), but on demand (howto on this topic is offtopic here, ask on SuperUser|WebMaster|StackOverFlow)

When you'll convert your current blog into SVN-managed and there will be an event "New Release", launched (have to be written around my dirty idea) SVN-updater can detect latest release rather easy (and switch WC of blog to it): in noted by you "Installing/Updating WordPress with Subversion" article it's just

cd blog
svn sw https://core.svn.wordpress.org/tags/4.7.3/ .

where 4.7.3 is the right version, you just have to get changing "The Right" version semi-automatically. Well, let's se at URL in command and on output of one more SVN-command (used on live WP-core repo)

>svn ls https://core.svn.wordpress.org/tags/
1.5/
...
4.7.3/

latest string is always the number of latest WP-release (ok, release with greatest number, technically speaking). For good OS with good shell "last string of svn ls" output is just svn ls <URL>|tail -1 and you have target, on which you have to switch

Final note:

Also, the last step in an svn update is to visit wp-admin/config.php with a web browser

No. According to the same page in Codex as above noted

Run the usual wp-admin/upgrade.php and you're done

and this task can be (not tested!!!) executed without client's browser by calling f.e. CURL with URL in server's console (duty of the same SVN-updater script)

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.