l if the PHP program needs to have write access to the site of some of the files will need to manually file or directory permissions to modify 777
l because php-fpm sub process is based on the nobody operation, then the new owner of the file generated by php-fpm is nobody, then FTP users will not be able to modify these files, it takes.
2. software / Web server configuration /php program by using
| nginx and PHP on the website only read permission without permission to write
to discuss this issue, first explains several concepts and process permissions:
A. FTP has the largest user to modify the permissions on the site directory, then the owner of the file website must belong to FTP, which is no doubt, otherwise how to modify the
, nginx and php-fpm sub process account number is nobody.
B. php-fpm process, nginx process of Web site files need to have at least read permissions, for example, the following command can be used to view the two processes of the account:
We can find that ?
according to the production environment continuous feedback, found that there have been linked to the Trojan site PHP, most of the reason is because the permission set unreasonable. Because the server software, or the existence of loopholes in the PHP program are inevitable, in this case, if you can set Linux directory permissions correctly, then the process of PHP authority, the security of the site is actually can be guaranteed.
PS aux|grep nginx
we’ll see the website file directory permissions:
PS aux|grep php
core using php-fpm sub process user, is not the owner of the file website. Those who violate this principle, it is not in accordance with the principle of least privilege.
1. FTP connection information has been cracked, for this reason, a feasible way is very complicated to use FTP username (do not use the common username), if it is fixed, consider using iptables source IP firewall restrictions. But in some situations, you may want to use VPN for remote maintenance. Which site maintainers need to use FTP to modify the site files, must first login to the VPN server IDC room, and then subsequent operation.
well, the cause of site was linked to the Trojan is what
WWW is the owner of the file website found that account:
There are loopholes in