I read a book about security in web servers and I found this:
If your web server has the ability to write to the files in your
WordPress directories, then the automatic upgrade functionality works.
If not,WordPress prompts for your FTP credentials to update the files
for you. Both of these situations concern us. In general, your web
user should not have write permissions to your entire web root. This
is just asking for trouble, especially on a shared hosting platform;
realizing, of course, that certain directories such as the uploads
folder must be writable by the web user in order to function.
Professional Wordpress by Hal Stern
What I want to ask is who is the web user of my server? I'm using Nginx and PHP5-FPM. The web root folder of my server is owned by raymond:raymond. Nginx is running as nginx:nginx and PHP5-FPM's listen.owner is set to raymond and listen.group is also set to raymond
The web root directory permissions is drwxr-x-r-x, my public_html is also set like that.
So how can I know if I'm in trouble with this setup?
BTW, I'm using Linode for my host! I'm not in a shared hosting environment. Thanks!
Answer
You've answered your own question.
The "web user" refers to the identity of the user running nginx - in this case, uid=nginx, gid=nginx.
As log as this user does not own or have write access to files that should not be modifiable (such as the abovementioned wordpress config), you're fine.
EDIT: Unless PHP5-FPM is started as a separate process which runs as root, it cannot excercise more permissions than those present on the web server.
No comments:
Post a Comment