Files permisions and linux host. What's the best?

saidbakr

Hi,

I'm going to host a new website at hosting company. This host is linux based. The website application allows registerd users to upload files such as images and videos. The application in some functionality, may write or read files and directories.

I know about linux file permisions that it is an integer formed from 3 digits xxx. The first one is for owner, the second is for group and the third is for others. read has the value 4, write has 2 and execute has the value 1. The sum of every action gives the permistion.

For example 777 means owner, group and others can read, write and execute, while 755 allows owner to read, write and execute but both of group and others can only read and execute without write.

My question is: How can I relate this to my website that is coded using PHP? In other word, in the website enviroment who is the owner?, who is the group? and who is the other?

I want to make my files at the maximum security standards without affecting the functionalities regarded above.

richie

For most files on a web server,
the owner will be the FTP username,
the group will be the group Apache belongs to,
and Others will be any other user on the server that is not in the above two categories. For example, if there's another linux user on the same machine called nswan, that user belongs to the Others category.

So, let's say your ftp account username is moony16, and your apache server runs as apache. When you issue the command "ls -a" on linux, you should get something like:

-rw-r--r-- 5 moony16 apache 4096 Jan 20 13:05 logo.jpg

The result shows that the file, logo.jpg has a permission of 644. Strictly speaking, you could make the permission 640, and you'll still be ok, since only your webserver user, and your ftp user should be able to read/change the file.

saidbakr

Hi,

I think 640 will not allow users of the website to upload files, because, according to your answer, they belongs to Apache group and hence their permision is 4 i.e read only!

So if we supposed this page of PHPBuilder newreplay.php have the permistion 640, this may mean that we could not attache files to this post. Is this true?

I think 640 is very good for static website, but dynamic, I think there is another value should be better.

Do you think 660 is fine?

NogDog

You'll possibly need 666, as the middle digit is for "group", and will only allow the webserver user read/write access if it and your personal account are members of the same group. If you want to limit it to only 660, then you'll first need to confirm with your hosting company that you and the Apache user share a group membership.

saidbakr

Hi,

Therefore, I could conclude that the website's visitors are regarded as Group and hence there permissions are assigned by the second digit in the permission number.

One little question is remaining, Execute permission, how does it be achieved by the website's visitor? In other word, if there a directory of permissions 670, which it means that the group able to execute. so How and what the website's visitor execute?

NogDog

It is not whether or not they are a member of a group, but whether they are a member of a group which includes the owner.

Directories need to have both read and execute permission for their contents to be accessible. So read access to a directory requires a "5", while read/write access requires a "7".

saidbakr

I'm confused!
What is the permisions value that I should set to the root public directory for my website hosting space where this permision allows the php scripts to do functionaliries regrded in my first post?

NogDog

If you want to be sure that your PHP scripts can both read and write to a directory, use 777. If you only need the directory to be readable, use 555. If you are sure that your user account and the Apache account share the same group, you could use 770 or 550. (If you are not sure, try it, and see what happens when you access the page via the web.) For files (not directories) within a directory, you do not normally need any execute permissions (unless it's a CGI script or such), in which case you can reduce those digits by 1: 666 and 444.