Folder/Directory Permissions or CHMOD
 

I wanted to ask a quick question and get feedback in regards to folder permissions. What is the ideal setting/permission/chmod for public folders?

What's in folder. Images, FS and all other non script stuff I have on 755 , Write perm only for owner

755 should work for most cases

It depends on how your host has permissions set on the machine. If they are running setuid or suexec, your webserver will run as your username and will be able to read/write all of the files on your site.

If they run apache in a low privilege mode, you would need the directories to be 755 to be readable, and 777 to be writeable by the webserver.

You might as your host how their servers are set up. You can also change it using FTP and see how 755 works for you. If you change it to 700 and it still works, then you are probably running on a server with suexec/setuid.

Thanks for the input, I have them set for 755, they contain only images, and html files (galleries, free sites,etc)

That is normally the default and should work.

folders to 755, files to 644. executable files (755) outside of cgi-bin is bad practice.

Unix file permissions 101: (just for completeness).

Permissions are set with chmod, and are in fact an 'octal' mask for it. The first digit supplies permissions for the file owner (user). The second digit supplies permissions for the file owner's group and the third digit supplies permissions for anyone who is not the owner, and not in the owners' group.

Permission numbers:
read: 4
write: 2
execute: 1

You just add them up and presto. So, 755 would mean that the file owner can read, write, and execute the file, people in the owners' group can read and execute, and others can read and execute.

In the case of a directory, the execute bit actually means "can read the contents of this directory".

In the case of doing permissions for your websites, keep a few things in mind:

1: Most webservers will run CGI scripts either as "you" (your user id and group id); this means that if you want to be very "safe" you can chmod 750 instead, denying other users on the same server access to your stuff.

2: Some webservers will run CGI scripts as the user id and group id of the webserver itself, usually you aren't a member of this group, and the webserver isn't a member of your group either. In this case you're stuck with 755 -- but for directories or files that the webserver needs to write to, you're stuck on 757 -or- 777.

3: When in doubt, 777 fixes most directory access problems, but it's not recommended since that pretty much allows anyone to do anything to your files.

Keep in mind that the webserver needs read permission on files in order to serve them up, but reading files is done using the webserver's group and user id, so to do this you need at least a permission of 004.

Ok a bit rambling but hope it helps :D

by the time they can do anything other than what your a script allows allows them to with a writable file or directory, they already have pwned that account and can do pretty much anything (well, not counting other users that aren't in a a chroot container)

2 words. SQL injection.

Also, if you set stuff to 777 and someone fucks your script into writing out a new PHP file, that causes the account to be pwned -- so before you try talking security, please get a clue first :)

OK, I got the clue.

Cool, let's discuss then :D

You girls are finally done bickering over something that was answered in the first hour of the thread's creation 25 days ago. |thumb