Folder/Directory Permissions or CHMOD

MadCat · 2009-04-26, 10:16 PM

Unix file permissions 101: (just for completeness).

Permissions are set with chmod, and are in fact an 'octal' mask for it. The first digit supplies permissions for the file owner (user). The second digit supplies permissions for the file owner's group and the third digit supplies permissions for anyone who is not the owner, and not in the owners' group.

Permission numbers:
read: 4
write: 2
execute: 1

You just add them up and presto. So, 755 would mean that the file owner can read, write, and execute the file, people in the owners' group can read and execute, and others can read and execute.

In the case of a directory, the execute bit actually means "can read the contents of this directory".

In the case of doing permissions for your websites, keep a few things in mind:

1: Most webservers will run CGI scripts either as "you" (your user id and group id); this means that if you want to be very "safe" you can chmod 750 instead, denying other users on the same server access to your stuff.

2: Some webservers will run CGI scripts as the user id and group id of the webserver itself, usually you aren't a member of this group, and the webserver isn't a member of your group either. In this case you're stuck with 755 -- but for directories or files that the webserver needs to write to, you're stuck on 757 -or- 777.

3: When in doubt, 777 fixes most directory access problems, but it's not recommended since that pretty much allows anyone to do anything to your files.

Keep in mind that the webserver needs read permission on files in order to serve them up, but reading files is done using the webserver's group and user id, so to do this you need at least a permission of 004.

Ok a bit rambling but hope it helps

nate · 2009-04-27, 12:17 AM

Quote:

Originally Posted by MadCat

Unix file permissions 101: (just for completeness)

3: When in doubt, 777 fixes most directory access problems, but it's not recommended since that pretty much allows anyone to do anything to your files.

by the time they can do anything other than what your a script allows allows them to with a writable file or directory, they already have pwned that account and can do pretty much anything (well, not counting other users that aren't in a a chroot container)

MadCat · 2009-04-27, 06:38 AM

Quote:

Originally Posted by nate

by the time they can do anything other than what your a script allows allows them to with a writable file or directory, they already have pwned that account and can do pretty much anything (well, not counting other users that aren't in a a chroot container)

2 words. SQL injection.

Also, if you set stuff to 777 and someone fucks your script into writing out a new PHP file, that causes the account to be pwned -- so before you try talking security, please get a clue first

nate · 2009-04-27, 11:35 AM

Quote:

Originally Posted by MadCat

2 words. SQL injection.

Also, if you set stuff to 777 and someone fucks your script into writing out a new PHP file, that causes the account to be pwned -- so before you try talking security, please get a clue first

OK, I got the clue.

2009-04-26, 10:16 PM	#1
MadCat If something's hard to do, then it's not worth doing Join Date: Sep 2008 Location: Berlin, Germany Posts: 247	Unix file permissions 101: (just for completeness). Permissions are set with chmod, and are in fact an 'octal' mask for it. The first digit supplies permissions for the file owner (user). The second digit supplies permissions for the file owner's group and the third digit supplies permissions for anyone who is not the owner, and not in the owners' group. Permission numbers: read: 4 write: 2 execute: 1 You just add them up and presto. So, 755 would mean that the file owner can read, write, and execute the file, people in the owners' group can read and execute, and others can read and execute. In the case of a directory, the execute bit actually means "can read the contents of this directory". In the case of doing permissions for your websites, keep a few things in mind: 1: Most webservers will run CGI scripts either as "you" (your user id and group id); this means that if you want to be very "safe" you can chmod 750 instead, denying other users on the same server access to your stuff. 2: Some webservers will run CGI scripts as the user id and group id of the webserver itself, usually you aren't a member of this group, and the webserver isn't a member of your group either. In this case you're stuck with 755 -- but for directories or files that the webserver needs to write to, you're stuck on 757 -or- 777. 3: When in doubt, 777 fixes most directory access problems, but it's not recommended since that pretty much allows anyone to do anything to your files. Keep in mind that the webserver needs read permission on files in order to serve them up, but reading files is done using the webserver's group and user id, so to do this you need at least a permission of 004. Ok a bit rambling but hope it helps __________________ What's blue and not heavy?