Automatic upgrading actions

I have installed WordPress on our own servers. I unpacked the zip into a temporary folder and then moved to its live location. I did not run anything while the code was located in the temp folder

Everything is working, but I have two questions.

Firstly, with no one apparently signed on and no cron job WordPress updated itself to 4.1.1 – how does this happen? I’m not comfortable with the idea of tasks running with no obvious cause.

Secondly, by examining some i-node logs I can see that the process used some files in the temporary folder – which it would have had to recreate and Apache has no permissions to do that. What is remembering this location and how does it have permission?