Safe File Permissions

dyntryx

I know how to chmod and I understand how it works. My question is generally just about what's safe and what's not. Giving a file the permissions 777 isn't entirely unsafe to some extent, but anyone with any access to the server the file is on could definitely 'cause problems if they wanted to. So, even though most people wouldn't have that kind of access to your webserver, I still don't see how it could be recommended.

I have a script in which I need to be able to write files, which means the folder the file is contained in needs to be able to allow PHP to do so. Also, any files that were previously created in the folder (not by PHP's fwrite() command) need to allow me to modify them using PHP. So, I'm just wondering what would be the safest permissions to set for this folder and these files. Keep in mind I need to be able to write these files from PHP. I was thinking maybe 774 or 664 would be sufficient. But since I'm not the best at this sort of thing (I haven't had much time to delve into Linux and such as of yet), I'd ask some people who are better. What's the recommendation?

Sorry if this makes little sense, I'm in a hurry. If no one understands, I'll clarify in a few hours when I'm off work. Thanks for your time. Bye. :p

planetsim

Well your user should have full Write, Read and Execute Permissions. From there your best to have Read, Execute permissions for Group and Other. This should be 755 permissions, unless you want the server to write to files you shouldnt need any higher.

[edit]
Also if the server admin has set up the server correctly no user should be able to access your home directory or even see it for that matter.
[/edit]

halojoy

Also if the server admin has set up the server correctly
no user should be able to access your home directory
or even see it for that matter

There is a setting,
I think in apache 'httpd.conf'
default user = 'something'
I have set this to be
default user = 'nobody'
to set it to "root" - would be very stupid, I think

Am I right, planetsim?

dyntryx

unless you want the server to write to files you shouldnt need any higher.

I want my PHP script to be able to write files. So, that means I need 775, right? By default my files are 644. I was thinking, would 665 not be sufficient for allowing PHP and myself to modify a file while still giving the user access to read it? What exactly is the use of allowing execution on a PHP file? Read access will still be sufficient for the script to run, so is it really necessary?

Also, I don't know how many people know this, but a lot of hosts are very, very stupid. Some of you are probably saying, "well, yeah..."; others are probably saying, "how so?" Well, I'll tell you. For one, some hosts allow you to read directories outside your own home directory and sometimes even access the files. Sometimes you can't do it directly, but you can still run the "ls" command using passthru(). So, I'm asking all these questions about chmod, because I'm wondering this... If someone could do that on my host (they can't, but hypothetically), how would my files be best protected from tampering while still being usable by me and my PHP scripts.

So, thanks again to anyone who can help. Planetsim and halojoy, thanks plenty for responding. Much love. 😉

planetsim

I want my PHP script to be able to write files. So, that means I need 775, right

Depends on the setting on SELinux, however it should be 777 mainly because nobody really goes in the other section and needs to be able to read, write and execute.

Also yes your right 644 should be sufficient however sometimes again this is not the case depends on how the Administrator has set the server up.

777 is mainly suggested because it works. However if the file is created and permissions for other to read and write which is 666. However like I said this depends on Administrator and how its setup.

halojoy

Originally posted by halojoy
There is a setting,
I think in apache 'httpd.conf'
default user = 'something'
I have set this to be
default user = 'nobody'
to set it to "root" - would be very stupid, I think

Am I right, planetsim?

I asked this question. Now, I still wonder .......

planetsim

Originally posted by halojoy
There is a setting,
I think in apache 'httpd.conf'
default user = 'something'
I have set this to be
default user = 'nobody'
to set it to "root" - would be very stupid, I think

Am I right, planetsim?

Its User and Group typically set to nobody. If an Administrator used root. It would become quite messy not just the server.

dyntryx

As far as I can tell, I can write to files I've already created using a PHP script with the group permissions set to read/write. So, I guess PHP is considered to be in the same group as the user? Which would lead me to believe I could accomplish what I want with 664.

As far as 777 goes, that seems very insecure. Especially under the conditions I mentioned earlier with some hosts. And believe me, there are more of those hosts out there than you want to know about. 😉

Still, I wonder just how secure things can stay when you allow write access for PHP. Seems like a tough call to me.