Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-08-2015, 12:15 PM
|
#1
|
Member
Registered: Nov 2005
Location: Central America
Distribution: Mepis, Android
Posts: 490
|
Files permissions altered on Linux (nginx) hosting service
I have 3 websites hosted on a Linux server running nginx (not Apache). Up until recently I was in control of the files permissions therein; I would set the files permissions via ftp and that was that.
I kept most of my files permissions as normal 644, but set certain binaries in cgi-bin to 750, php scripts and their backups to 640, and a few user-updatable files to 666 (although 644 would probably have been ok). A couple weeks ago, I noticed all files had been reset to 755 without asking my permission or even informing me. I submitted a support ticket, and spent 2 or 3 hours working with their tech support and using ftp to set the permissions back to what I wanted. That was fine for awhile, but now I see they've all been set to 755 again, apparently by some automatic cron process(??). Tech support will not answer me why this is happening.
My question is two-fold:
1. Any ideas why they might be doing this?
2. Might this present a security problem or difficulty for my visitors? Functionality seems to be ok, although I have not exhaustively tested all pages.
|
|
|
05-08-2015, 12:24 PM
|
#2
|
Senior Member
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,797
|
Run "ls -lc --full-time" on one of the files to see exactly when the change occurred. Then, see if that correlates with something in the cron log.
|
|
|
05-08-2015, 12:43 PM
|
#3
|
Member
Registered: Nov 2005
Location: Central America
Distribution: Mepis, Android
Posts: 490
Original Poster
|
I only have ftp access. The ftp command "ls -lc --full-time" routes the response to a local file named "--full-time". I can see the timestamps OK, that's not the problem. But on this server, changing a file's permissions does not affect the file's timestamp, including when I myself change the permissions via ftp with chmod. All timestamps correspond to the last time the file's actual contents were changed.
My real question is WHY are they doing this, and - does it matter? (And, if it does matter, what do I need to say to my hosting service to get them to stop doing this in the future?)
|
|
|
05-11-2015, 12:17 PM
|
#4
|
Member
Registered: Nov 2005
Location: Central America
Distribution: Mepis, Android
Posts: 490
Original Poster
|
My hosting service tech support finally responded thus
Quote:
are you running wordpress on this account ?
If so we will when a major security issue arises auto upgrade your wordpress install to the secure version, in this process we will also reset the permissions on the account to the said 755 values.
|
without specifying exactly why they would set file permissions to 755 (to the entire site!) when automatically upgrading wordpress.
Tech support has also assured me that
Quote:
Also please note that 755 is *not* insecure, we run our shared hosting using cloudlinux and cagefs, this restricts on the file system all clients to only being able to see their own home folder, which means that only you can see your files on the server (eg chmod 777 would still only allow your user full access to the said file / folder )
|
Does anyone here at LQ disagree with either of these two statements from my hosting service tech support? Any words of warning or caution for me?
|
|
|
05-11-2015, 01:26 PM
|
#5
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
Quote:
Originally Posted by dogpatch
A couple weeks ago, I noticed all files had been reset to 755 without asking my permission or even informing me.
|
and was Wordpress upgraded at that time?
There were 2 US-CERT Notices for it recently
4.2.1
4.2.2
so it sound plausible that the Providers statement "when a major security issue arises auto upgrade your wordpress install to the secure version" is exactly what happened, twice.
And since they reset perms during those situations, you got your files 'reset' to 755.
|
|
1 members found this post helpful.
|
05-11-2015, 03:40 PM
|
#6
|
Member
Registered: Nov 2005
Location: Central America
Distribution: Mepis, Android
Posts: 490
Original Poster
|
Quote:
Originally Posted by Habitual
and was Wordpress upgraded at that time?
There were 2 US-CERT Notices for it recently
4.2.1
4.2.2
so it sound plausible that the Providers statement "when a major security issue arises auto upgrade your wordpress install to the secure version" is exactly what happened, twice.
And since they reset perms during those situations, you got your files 'reset' to 755.
|
Yes, it seems reasonable to assume that that is exactly what happened. And do you agree with their contention that universal 755 permissions does not entail any security or functionality problem?
A couple years ago, these same tech support people were setting all my php scripts to 640 and advised me to do the same for any new php scripts, saying that the 'other' permission setting should be zero to protect against site mining or some such risk; i don't remember their exact words.
|
|
|
05-11-2015, 03:59 PM
|
#7
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
Quote:
Originally Posted by dogpatch
Yes, it seems reasonable to assume that that is exactly what happened. And do you agree with their contention that universal 755 permissions does not entail any security or functionality problem?
A couple years ago, these same tech support people were setting all my php scripts to 640 and advised me to do the same for any new php scripts, saying that the 'other' permission setting should be zero to protect against site mining or some such risk; i don't remember their exact words.
|
755 for Directories.
644 for Files.
These 2 settings are the recommended settings for forward-facing websites.
Reference:
http://codex.wordpress.org/Hardening_WordPress, specifically
http://codex.wordpress.org/Hardening...le_Permissions
|
|
|
05-11-2015, 04:49 PM
|
#8
|
Member
Registered: Nov 2005
Location: Central America
Distribution: Mepis, Android
Posts: 490
Original Poster
|
Based upon what I've learned, and since my wordpress blog is almost entirely untrafficked by real humans, I think I'll do the following:
1. Get rid of wordpress.
2. Write a script to walk through the entire site and set permissions as they really should be.
3. Write a cron job or manually run a script periodically to check these settings and alert me if there is another automatic reset.
Will mark this thread as Solved.
|
|
|
05-11-2015, 06:11 PM
|
#9
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
Quote:
Originally Posted by dogpatch
Based upon what I've learned, and since my wordpress blog is almost entirely untrafficked by real humans, I think I'll do the following:
1. Get rid of wordpress.
2. Write a script to walk through the entire site and set permissions as they really should be.
3. Write a cron job or manually run a script periodically to check these settings and alert me if there is another automatic reset.
Will mark this thread as Solved.
|
If you're interested in hosting a Wordpress site entirely for your own benefit or usage, you should consider Docker containers.
My Third Docker Deploynment outlines the 4 Docker commands needed to start a Wordpress with MySQL environment with persistence.
Do you have a 64 Bit architecture installed? If you do, consider docker.
|
|
|
05-12-2015, 07:41 PM
|
#10
|
Member
Registered: Nov 2005
Location: Central America
Distribution: Mepis, Android
Posts: 490
Original Poster
|
Quote:
Originally Posted by Habitual
If you're interested in hosting a Wordpress site entirely for your own benefit or usage, you should consider Docker containers.
My Third Docker Deploynment outlines the 4 Docker commands needed to start a Wordpress with MySQL environment with persistence.
Do you have a 64 Bit architecture installed? If you do, consider docker.
|
Am a bit confused. I originally thought that by installing a wordpress blog and customizing certain scripts for my own purpose, that i was in fact acting as an independent developer, as opposed to, say, using a blogspot blog. I thought that i was in full control over when and if ever to upgrade the wordpress software, as well as in full control over customizing it.
The fact that my hosting service, without my authorization or without even notifying me, has automatically upgraded my wordpress at least twice - that has me wondering what advantage there was in having wordpress in the first place. And the further worry that wordpress installations have apparently become spam magnets. Add to that the almost non-exeistent traffic being generated, and I'm more inclined to just dump it. Perhaps save my posts and comments as static non-wordpress pages, as read-only archives of a once functional blog.
But tell me, is Docker some kind of alternative that would allow me to avoid the spam magnetism and the automatic upgrades, and restore to me full development control over my own website?
To answer your question: Im quite sure my hosting service runs 64-bit, but my own home computer is an older 32 bit machine.
Last edited by dogpatch; 05-12-2015 at 07:44 PM.
Reason: add answer
|
|
|
All times are GMT -5. The time now is 02:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|