Folder/Directory Permissions or CHMOD

NY Jester · 2009-04-02, 10:21 PM

I wanted to ask a quick question and get feedback in regards to folder permissions. What is the ideal setting/permission/chmod for public folders?

pc · 2009-04-02, 10:25 PM

What's in folder. Images, FS and all other non script stuff I have on 755 , Write perm only for owner

Beaver Bob · 2009-04-02, 10:41 PM

755 should work for most cases

cd34 · 2009-04-02, 11:07 PM

It depends on how your host has permissions set on the machine. If they are running setuid or suexec, your webserver will run as your username and will be able to read/write all of the files on your site.

If they run apache in a low privilege mode, you would need the directories to be 755 to be readable, and 777 to be writeable by the webserver.

You might as your host how their servers are set up. You can also change it using FTP and see how 755 works for you. If you change it to 700 and it still works, then you are probably running on a server with suexec/setuid.

NY Jester · 2009-04-02, 11:19 PM

Thanks for the input, I have them set for 755, they contain only images, and html files (galleries, free sites,etc)

whitey · 2009-04-03, 02:58 AM

Quote:

Originally Posted by NY Jester

Thanks for the input, I have them set for 755, they contain only images, and html files (galleries, free sites,etc)

That is normally the default and should work.

nate · 2009-04-26, 06:32 PM

Quote:

Originally Posted by NY Jester

Thanks for the input, I have them set for 755, they contain only images, and html files (galleries, free sites,etc)

folders to 755, files to 644. executable files (755) outside of cgi-bin is bad practice.

MadCat · 2009-04-26, 10:16 PM

Unix file permissions 101: (just for completeness).

Permissions are set with chmod, and are in fact an 'octal' mask for it. The first digit supplies permissions for the file owner (user). The second digit supplies permissions for the file owner's group and the third digit supplies permissions for anyone who is not the owner, and not in the owners' group.

Permission numbers:
read: 4
write: 2
execute: 1

You just add them up and presto. So, 755 would mean that the file owner can read, write, and execute the file, people in the owners' group can read and execute, and others can read and execute.

In the case of a directory, the execute bit actually means "can read the contents of this directory".

In the case of doing permissions for your websites, keep a few things in mind:

1: Most webservers will run CGI scripts either as "you" (your user id and group id); this means that if you want to be very "safe" you can chmod 750 instead, denying other users on the same server access to your stuff.

2: Some webservers will run CGI scripts as the user id and group id of the webserver itself, usually you aren't a member of this group, and the webserver isn't a member of your group either. In this case you're stuck with 755 -- but for directories or files that the webserver needs to write to, you're stuck on 757 -or- 777.

3: When in doubt, 777 fixes most directory access problems, but it's not recommended since that pretty much allows anyone to do anything to your files.

Keep in mind that the webserver needs read permission on files in order to serve them up, but reading files is done using the webserver's group and user id, so to do this you need at least a permission of 004.

Ok a bit rambling but hope it helps

nate · 2009-04-27, 12:17 AM

Quote:

Originally Posted by MadCat

Unix file permissions 101: (just for completeness)

3: When in doubt, 777 fixes most directory access problems, but it's not recommended since that pretty much allows anyone to do anything to your files.

by the time they can do anything other than what your a script allows allows them to with a writable file or directory, they already have pwned that account and can do pretty much anything (well, not counting other users that aren't in a a chroot container)

MadCat · 2009-04-27, 06:38 AM

Quote:

Originally Posted by nate

by the time they can do anything other than what your a script allows allows them to with a writable file or directory, they already have pwned that account and can do pretty much anything (well, not counting other users that aren't in a a chroot container)

2 words. SQL injection.

Also, if you set stuff to 777 and someone fucks your script into writing out a new PHP file, that causes the account to be pwned -- so before you try talking security, please get a clue first

nate · 2009-04-27, 11:35 AM

Quote:

Originally Posted by MadCat

2 words. SQL injection.

Also, if you set stuff to 777 and someone fucks your script into writing out a new PHP file, that causes the account to be pwned -- so before you try talking security, please get a clue first

OK, I got the clue.

MadCat · 2009-04-27, 12:11 PM

Cool, let's discuss then

Useless · 2009-04-27, 01:14 PM

You girls are finally done bickering over something that was answered in the first hour of the thread's creation 25 days ago.

2009-04-02, 10:21 PM	#1
NY Jester ICQ:147079406 Join Date: Oct 2007 Location: RockMEHardplace Posts: 2,996	Folder/Directory Permissions or CHMOD I wanted to ask a quick question and get feedback in regards to folder permissions. What is the ideal setting/permission/chmod for public folders? __________________ The Sexy Side of Porn

2009-04-02, 10:41 PM	#3
Beaver Bob Porn Blog Addict Join Date: Oct 2005 Location: Las Vegas, Nevada Posts: 715	755 should work for most cases __________________ Need Custom Content? Spunky Dollars

2009-04-02, 11:07 PM	#4
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	It depends on how your host has permissions set on the machine. If they are running setuid or suexec, your webserver will run as your username and will be able to read/write all of the files on your site. If they run apache in a low privilege mode, you would need the directories to be 755 to be readable, and 777 to be writeable by the webserver. You might as your host how their servers are set up. You can also change it using FTP and see how 755 works for you. If you change it to 700 and it still works, then you are probably running on a server with suexec/setuid. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-04-02, 11:19 PM	#5
NY Jester ICQ:147079406 Join Date: Oct 2007 Location: RockMEHardplace Posts: 2,996	Thanks for the input, I have them set for 755, they contain only images, and html files (galleries, free sites,etc) __________________ The Sexy Side of Porn

2009-04-26, 10:16 PM	#8
MadCat If something's hard to do, then it's not worth doing Join Date: Sep 2008 Location: Berlin, Germany Posts: 247	Unix file permissions 101: (just for completeness). Permissions are set with chmod, and are in fact an 'octal' mask for it. The first digit supplies permissions for the file owner (user). The second digit supplies permissions for the file owner's group and the third digit supplies permissions for anyone who is not the owner, and not in the owners' group. Permission numbers: read: 4 write: 2 execute: 1 You just add them up and presto. So, 755 would mean that the file owner can read, write, and execute the file, people in the owners' group can read and execute, and others can read and execute. In the case of a directory, the execute bit actually means "can read the contents of this directory". In the case of doing permissions for your websites, keep a few things in mind: 1: Most webservers will run CGI scripts either as "you" (your user id and group id); this means that if you want to be very "safe" you can chmod 750 instead, denying other users on the same server access to your stuff. 2: Some webservers will run CGI scripts as the user id and group id of the webserver itself, usually you aren't a member of this group, and the webserver isn't a member of your group either. In this case you're stuck with 755 -- but for directories or files that the webserver needs to write to, you're stuck on 757 -or- 777. 3: When in doubt, 777 fixes most directory access problems, but it's not recommended since that pretty much allows anyone to do anything to your files. Keep in mind that the webserver needs read permission on files in order to serve them up, but reading files is done using the webserver's group and user id, so to do this you need at least a permission of 004. Ok a bit rambling but hope it helps __________________ What's blue and not heavy?

2009-04-02, 10:25 PM	#2
pc Shift Out / X-On Join Date: Jul 2007 Location: unknown Posts: 2,298	What's in folder. Images, FS and all other non script stuff I have on 755 , Write perm only for owner

2009-04-27, 12:11 PM	#12
MadCat If something's hard to do, then it's not worth doing Join Date: Sep 2008 Location: Berlin, Germany Posts: 247	Cool, let's discuss then __________________ What's blue and not heavy?

2009-04-27, 01:14 PM	#13
Useless Certified Nice Person Join Date: Oct 2003 Location: Dirty Undies, NY Posts: 11,268	You girls are finally done bickering over something that was answered in the first hour of the thread's creation 25 days ago. __________________ Click here to purchase a bridge I'm selling.