Files permissions altered on Linux (nginx) hosting service
I have 3 websites hosted on a Linux server running nginx (not Apache). Up until recently I was in control of the files permissions therein; I would set the files permissions via ftp and that was that.
I kept most of my files permissions as normal 644, but set certain binaries in cgi-bin to 750, php scripts and their backups to 640, and a few user-updatable files to 666 (although 644 would probably have been ok). A couple weeks ago, I noticed all files had been reset to 755 without asking my permission or even informing me. I submitted a support ticket, and spent 2 or 3 hours working with their tech support and using ftp to set the permissions back to what I wanted. That was fine for awhile, but now I see they've all been set to 755 again, apparently by some automatic cron process(??). Tech support will not answer me why this is happening. My question is two-fold: 1. Any ideas why they might be doing this? 2. Might this present a security problem or difficulty for my visitors? Functionality seems to be ok, although I have not exhaustively tested all pages. |
Run "ls -lc --full-time" on one of the files to see exactly when the change occurred. Then, see if that correlates with something in the cron log.
|
I only have ftp access. The ftp command "ls -lc --full-time" routes the response to a local file named "--full-time". I can see the timestamps OK, that's not the problem. But on this server, changing a file's permissions does not affect the file's timestamp, including when I myself change the permissions via ftp with chmod. All timestamps correspond to the last time the file's actual contents were changed.
My real question is WHY are they doing this, and - does it matter? (And, if it does matter, what do I need to say to my hosting service to get them to stop doing this in the future?) |
My hosting service tech support finally responded thus
Quote:
Tech support has also assured me that Quote:
|
Quote:
There were 2 US-CERT Notices for it recently 4.2.1 4.2.2 so it sound plausible that the Providers statement "when a major security issue arises auto upgrade your wordpress install to the secure version" is exactly what happened, twice. And since they reset perms during those situations, you got your files 'reset' to 755. |
Quote:
A couple years ago, these same tech support people were setting all my php scripts to 640 and advised me to do the same for any new php scripts, saying that the 'other' permission setting should be zero to protect against site mining or some such risk; i don't remember their exact words. |
Quote:
644 for Files. These 2 settings are the recommended settings for forward-facing websites. Reference: http://codex.wordpress.org/Hardening_WordPress, specifically http://codex.wordpress.org/Hardening...le_Permissions |
Based upon what I've learned, and since my wordpress blog is almost entirely untrafficked by real humans, I think I'll do the following:
1. Get rid of wordpress. 2. Write a script to walk through the entire site and set permissions as they really should be. 3. Write a cron job or manually run a script periodically to check these settings and alert me if there is another automatic reset. Will mark this thread as Solved. |
Quote:
My Third Docker Deploynment outlines the 4 Docker commands needed to start a Wordpress with MySQL environment with persistence. Do you have a 64 Bit architecture installed? If you do, consider docker. |
Quote:
The fact that my hosting service, without my authorization or without even notifying me, has automatically upgraded my wordpress at least twice - that has me wondering what advantage there was in having wordpress in the first place. And the further worry that wordpress installations have apparently become spam magnets. Add to that the almost non-exeistent traffic being generated, and I'm more inclined to just dump it. Perhaps save my posts and comments as static non-wordpress pages, as read-only archives of a once functional blog. But tell me, is Docker some kind of alternative that would allow me to avoid the spam magnetism and the automatic upgrades, and restore to me full development control over my own website? To answer your question: Im quite sure my hosting service runs 64-bit, but my own home computer is an older 32 bit machine. |
All times are GMT -5. The time now is 12:22 AM. |