我应该为IIS7上的Wordpress 3.9.1安装设置哪些文件夹权限?
[英]What folder permissions should I set for a Wordpress 3.9.1 install on IIS7?
问题描述
When you install WordPress ( 3.9.1 currently) manually through the zip file over at wordpress.org , you're given a folder structure, I've outlined it below but I've only gone two folders deep to illustrate my question. 
当您通过wordpress.org上的zip文件手动安装WordPress (当前为3.9.1 )时,会为您提供一个文件夹结构,我在下面对其进行了概述,但仅深入了两个文件夹来说明我的问题。
In IIS7, the default user is IUSR 在IIS7中,默认用户为IUSR
What I'd like to know is, what permissions should I give this file structure so that logged in users can upload files, update plugins as well as the core (with new releases) via the WordPress administration area... without opening up hack holes . 我想知道的是,我应该赋予该文件结构什么权限,以便登录的用户可以通过WordPress管理区域上传文件,更新插件以及核心(包括新版本)... 而无需打开hack孔 。
Is it safe to allow IUSR these permissions on the entire structure? 在整个结构上允许IUSR这些权限是否安全? (X, not checked on, O, checked on) (X,未选中,O,选中)
- [X] Full Control [X]完全控制
- [O] Modify [O]修改
- [O] Read & Execute [O]读取并执行
- [O] List Folder Contents [O]列出文件夹内容
- [O] Read [O]阅读
- [O] Write [O]写
- [X] Special Permissions [X]特殊权限
I'm afraid that if I open up this gate, that it'll allow hackers to exploit my server's file system within this website , potentially opening up more dangerous possibilities. 恐怕如果我打开此大门,它将使黑客能够在此网站内利用服务器的文件系统 ,从而可能带来更多危险的可能性。 I've read into their suggesstions over at http://codex.wordpress.org/Changing_File_Permissions but this document outlines Linux settings, not IIS. 我已经在http://codex.wordpress.org/Changing_File_Permissions上阅读了他们的建议,但本文档概述了Linux设置,而不是IIS。 I can't seem to find one for IIS. 我似乎找不到一个IIS。
/* Begin File Structure
/wordpress/
/wp-admin/
/css/
/images/
/includes/
/js/
/maint/
/network/
/user/
/wp-content/
/plugins/
/themes/
/wp-includes/
/Certificates/
/css/
/fonts/
/ID3/
/images/
/js/
/pomo/
/SimplePie/
/Text/
/theme-compat/
*/
Looking at this file structure, it seems that in order to allow people who are logged into the administration area of the website to upload files, update the core, add/remove plugins, I'd have to give the whole thing crazy amounts of access giving anyone the ability to upload anything if they find a loophole in WP's code. 从这个文件结构来看,为了允许登录到网站管理区域的人们上传文件,更新核心,添加/删除插件,我必须给整个事情疯狂的访问量如果任何人发现WP代码中的漏洞,就可以上传任何东西。
1 个解决方案
解决方案1
1 已采纳 2014-07-03 22:29:56
This is a good resource: http://forums.iis.net/t/1178859.aspx 这是一个很好的资源: http : //forums.iis.net/t/1178859.aspx
In summary of that post and from my previous experience on other servers: 总结这篇文章,以及我以前在其他服务器上的经验:
You can use the standard permissions for IUSR. 您可以对IUSR使用标准权限。
The theme / plugins / uploads folders are what require you to have write permissions. 主题 / 插件 / 上载文件夹是需要您具有写权限的文件。 In your example you are missing the uploads folder under wp-content. 在您的示例中,您缺少wp-content下的uploads文件夹。 I would create it manually so you don't want to give wp-content write permissions. 我会手动创建它,因此您不想授予wp-content写入权限。
The additonal resouces from the post: http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis 帖子中的其他资源: http ://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis
http://www.iis.net/learn/get-started/planning-for-security/secure-content-in-iis-through-file-system-acls http://www.iis.net/learn/get-started/planning-for-security/secure-content-in-iis-through-file-system-acls
http://weblogs.asp.net/owscott/securing-iis-thwarting-the-hacker-week-23 http://weblogs.asp.net/owscott/securing-iis-thwarting-the-hacker-week-23
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.