Background updates vs correct permissions
-
Soo how is this supposed to work AND be secure?
The recommended file permissions are essentially:
Directory 750
File 640Where the owner (with Read/Write+ permissions) is the FTP user and the group (with Read-only permissions) is the webserver user’s group. But for background updates to work, WP needs this giant list of files to be writeable by WordPress/webserver, so now we need:
Directory 770
File 660But I’m very hesitant to do this as it basically negates the entire security principle of the user/group permissions system, or am I just missing something? I am also wondering how it can properly update manually, either. It seems to, but now I’m thinking… have I been applying broken updates somehow too :s
Thanks in advance for any insight!
-
Woah. Thanks for reply! This is first I’m hearing of this concept (and I’ve read a lot of noob guides to apache/WP) so I’m very interested in it!
So you would have PHP-FPM or FastCGI etc running as FTP user and essentially no use for groups? Doesn’t this present the same security issue, though, being that the webserver has write access to all files?
It’s been suggested that if that were to cause problems, the site in question would already be too hacked for file permission systems to matter, but I’ve no idea really.So far I have been under the impression that FTP user is meant to be unique and only used for FTP/master access, while PHP and Apache would run as the webserver user with restricted access to many files and folders, to limit the damage a compromise could cause.
Actually, I was locking everything for a while as read-only and then simply “chown -R” to the webuser whenever updates were needed… for maximum security. Still seems like the best way, if a nuisance?Any further thoughts would be very appreciated, but if not thanks again anyway!!
The topic ‘Background updates vs correct permissions’ is closed to new replies.