File permissions

**sputnik** · 01-18-2007, 08:37 PM

Hi all,

my question might be a little stupid but here it goes.

I have 2 Wordpress blogs, one hosted here with Jag and one with another shared host.

On my first blog, NOT hosted by Jag, changing file permissions using my FTP client works : they are only writable when I set them to writable.

However, for the blog that is hosted here, I can't seem to make my files not-writable. My FTP client shows the permissions as if they were changed but in fact, permissions don't seem to change at all. I've tried changing the file permissions using the Cpanel file manager but still, nothing does it.

So I guess my question is : is it possible that there is some setting on my account that automatically sets all file permissions to writable? I don't know much about this, any help would be appreciated! Oh, and if somebody knows of a good way to check file security (perhaps an online vulnerability checking utility), please do share!

Thanks!

**Vin DSL** · 01-18-2007, 08:42 PM

I change permissions all the time, via shell, so I highly doubt there is anything automatic taking place. It's probably an issue with your FTP client, but I dunno, since I don't use FTP...

You might try WinSCP instead...

**Ron** · 01-18-2007, 09:14 PM

Perhaps the difference is that here your web server is running under your userid instead of another user named "nobody"?

**sputnik** · 01-18-2007, 09:17 PM

Thanks for replying.

Via shell? Forgive my ignorance, but how do you do that?

Thanks!

**Vin DSL** · 01-18-2007, 09:32 PM

Originally Posted by sputnik

Thanks for replying.

Via shell? Forgive my ignorance, but how do you do that?

Shell access, e.g. SSH.

It comes *free* with all accounts here, AFAIK...

**Bellthorpe** · 01-18-2007, 09:42 PM

SSH is indeed 'free', but you have to request support to enable access.

**JPC-Masood** · 01-19-2007, 08:08 AM

This is the reason for files being "writable":

Originally Posted by Ron

Perhaps the difference is that here your web server is running under your userid instead of another user named "nobody"?

Thanks Ron

**jason** · 01-19-2007, 09:24 AM

In most hosting environments a version of PHP known as mod_php is compiled into the Apache web server. This version is always running and should theoretically be faster (in reality this is debatable), but the downside is that all scripts are run as the same user that Apache runs under, so there are some security issues.

JPC recently changed to a PHP as CGI environment. The benefit here is that scripts run under your user, meaning that files they create are owned and writable by you. In this setup you don't have to worry about setting group or world permissions on your files and it is easier to ensure that no one else will be able to access your sensitive files.

--Jason

**Vin DSL** · 01-19-2007, 10:41 AM

Originally Posted by masood

This is the reason for files being "writable":

iiRONic, no?

He doesn't have permission to change permissions...

Is cPanel still a nobody', so to speak?

**sputnik** · 01-19-2007, 02:30 PM

It's great to see so many people willing to help out. Thanks guys.

However, I haven't yet solved my problem (perhaps I'll get acquainted with SSH soon...). I still can't restrict my files from being writable. I modify my files using my Wordpress dashboard built-in editor and fear others could do so as well online. Does anybody know of an easy way for me to see/test how easy it would be for somebody to hack my files?

I'm also not quite sure that I get that :

Originally Posted by Ron

Perhaps the difference is that here your web server is running under your userid instead of another user named "nobody"?

Would anyone care to elaborate?

Thanks for your help guys. Gotta go. Will be back later this evening.

**JPC-Masood** · 01-19-2007, 02:45 PM

Originally Posted by sputnik

I still can't restrict my files from being writable.

No one can. They will remain writable in one way or another. If you can stop php from touching the file, ssh is still available. In your old hosting account, they are writable by anyone on your server (a security nightmare). Here they are writable only by you.

If all you want is to stop wordpress from complaining that they are writable, you can ssh in your account and issue this command

chmod 440 filename.php

or

chmod 444 filename.html

where filename is the file you want to make read only. This can be done via ssh only. To make them editable again, you will need to do

chmod 644 filename

Please check this section of FAQ on ssh:

http://www.jaguarpc.com/support/kbas...ion=list&cat=8

Originally Posted by sputnik

Does anybody know of an easy way for me to see/test how easy it would be for somebody to hack my files?

Please go through this list:

Tips on Web Security

and you will be able to keep your account secure.

**sputnik** · 01-19-2007, 07:27 PM

Thanks. Nice little security tutorial you got there, I'll make sure to follow your recommendations.

LinkBack

Thread Tools

Display

File permissions

Bookmarks

Bookmarks

Posting Permissions