Files permissions altered on Linux (nginx) hosting service
 

I have 3 websites hosted on a Linux server running nginx (not Apache). Up until recently I was in control of the files permissions therein; I would set the files permissions via ftp and that was that.

I kept most of my files permissions as normal 644, but set certain binaries in cgi-bin to 750, php scripts and their backups to 640, and a few user-updatable files to 666 (although 644 would probably have been ok). A couple weeks ago, I noticed all files had been reset to 755 without asking my permission or even informing me. I submitted a support ticket, and spent 2 or 3 hours working with their tech support and using ftp to set the permissions back to what I wanted. That was fine for awhile, but now I see they've all been set to 755 again, apparently by some automatic cron process(??). Tech support will not answer me why this is happening.

My question is two-fold:

1. Any ideas why they might be doing this?
2. Might this present a security problem or difficulty for my visitors? Functionality seems to be ok, although I have not exhaustively tested all pages.

Run "ls -lc --full-time" on one of the files to see exactly when the change occurred. Then, see if that correlates with something in the cron log.

I only have ftp access. The ftp command "ls -lc --full-time" routes the response to a local file named "--full-time". I can see the timestamps OK, that's not the problem. But on this server, changing a file's permissions does not affect the file's timestamp, including when I myself change the permissions via ftp with chmod. All timestamps correspond to the last time the file's actual contents were changed.

My real question is WHY are they doing this, and - does it matter? (And, if it does matter, what do I need to say to my hosting service to get them to stop doing this in the future?)

My hosting service tech support finally responded thus
without specifying exactly why they would set file permissions to 755 (to the entire site!) when automatically upgrading wordpress.

Tech support has also assured me that
Does anyone here at LQ disagree with either of these two statements from my hosting service tech support? Any words of warning or caution for me?

and was Wordpress upgraded at that time?
There were 2 US-CERT Notices for it recently
4.2.1
4.2.2
so it sound plausible that the Providers statement "when a major security issue arises auto upgrade your wordpress install to the secure version" is exactly what happened, twice.

And since they reset perms during those situations, you got your files 'reset' to 755.

Yes, it seems reasonable to assume that that is exactly what happened. And do you agree with their contention that universal 755 permissions does not entail any security or functionality problem?

A couple years ago, these same tech support people were setting all my php scripts to 640 and advised me to do the same for any new php scripts, saying that the 'other' permission setting should be zero to protect against site mining or some such risk; i don't remember their exact words.

755 for Directories.
644 for Files.
These 2 settings are the recommended settings for forward-facing websites.
Reference:
http://codex.wordpress.org/Hardening_WordPress, specifically
http://codex.wordpress.org/Hardening...le_Permissions

Based upon what I've learned, and since my wordpress blog is almost entirely untrafficked by real humans, I think I'll do the following:

1. Get rid of wordpress.
2. Write a script to walk through the entire site and set permissions as they really should be.
3. Write a cron job or manually run a script periodically to check these settings and alert me if there is another automatic reset.

Will mark this thread as Solved.

If you're interested in hosting a Wordpress site entirely for your own benefit or usage, you should consider Docker containers.
My Third Docker Deploynment outlines the 4 Docker commands needed to start a Wordpress with MySQL environment with persistence.
Do you have a 64 Bit architecture installed? If you do, consider docker.

Am a bit confused. I originally thought that by installing a wordpress blog and customizing certain scripts for my own purpose, that i was in fact acting as an independent developer, as opposed to, say, using a blogspot blog. I thought that i was in full control over when and if ever to upgrade the wordpress software, as well as in full control over customizing it.

The fact that my hosting service, without my authorization or without even notifying me, has automatically upgraded my wordpress at least twice - that has me wondering what advantage there was in having wordpress in the first place. And the further worry that wordpress installations have apparently become spam magnets. Add to that the almost non-exeistent traffic being generated, and I'm more inclined to just dump it. Perhaps save my posts and comments as static non-wordpress pages, as read-only archives of a once functional blog.

But tell me, is Docker some kind of alternative that would allow me to avoid the spam magnetism and the automatic upgrades, and restore to me full development control over my own website?

To answer your question: Im quite sure my hosting service runs 64-bit, but my own home computer is an older 32 bit machine.