Page 2 of 2 FirstFirst 12
Results 16 to 29 of 29

Thread: Why are 644 and 755 unix permissions ideal for files/directories in public folders?

  1. #16
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Lightbulb

    Quote Originally Posted by dakman View Post
    I noticed cPanel has 777 permissions on some different folders such as mail/ etc... Why is this?
    What is the full version of cPanel installed on the server?

    On a fresh system running the latest EDGE (11.25.0-EDGE_40716) I was unable to verify the reported access permissions of 0777; upon testing I see at most an access permissions value of 0770 allowing only user and group access.

  2. #17
    BANNED
    Join Date
    Jun 2005
    Posts
    2,023

    Lightbulb

    Permissions (Basic recommendations)
    -------------------------------------------------------------------------------------
    I actually don't recommend 777 EVER !!!! (That goes for DSO people too!)


    phpSuExec | suPHP
    -----------------------
    755 (owner:owner) Folders
    600 (owner:owner) PHP Scripts
    400 (owner:owner) Configuration Files (config.php, etc)
    600 (owner:owner) Script files requiring WRITE access
    640 (owner:nobody) Non-Script Files, HTML, Images, etc
    750 (owner:nobody) CGI/Perl Scripts

    If no access to setup group ownerships then set Non-Script files to 644 and CGI / Perl Scripts to 755


    DSO (Apache Module)
    --------------------------
    750 (owner:nobody) Folders
    640 (owner:nobody) PHP Scripts
    640 (owner:nobody) Configuration Files (config.php, etc)
    660 (owner:nobody) Script files needing to have "WRITE" access
    640 (owner:nobody) Non-Script Files, HTML, Images, etc
    750 (owner:nobody) CGI/Perl Scripts

    If no access to setup group ownerships then set Folder to 755, PHP Scripts and Configs to 644, Non-Script files to 644, Write Files to 666, and CGI / Perl Scripts to 755
    Last edited by Spiral; 11-10-2009 at 09:55 PM.

  3. #18
    Registered Member
    Join Date
    Sep 2008
    Posts
    10

    Default

    Don, here is our cPanel / WHM install...

    cPanel 11.24.5-R38506 - WHM 11.24.2 - X 3.9
    CENTOS 5.4 i686 virtuozzo on host

    Thanks for looking into this... I'll forward your response to our VPS providers.

    Spiral, great post.. we plan on using the similar SuPHP permission and ownership recommendations you made ... Question though... Sparek had brought up umask. I looked into it and I'm sorta lost.

    As a shared hosting provider we want to "enforce" those permissions (at least upon upload) and make global permissions settings for all our users.. We don't provide SSH access so is their a way to specifically set umask/default permissions settings for different file types not just ALL files or ALL folders, so that our shared accounts by default will use your recommendations?

    ... eg

    any uploaded file:

    *.php = 600 owner : owner

    non-php files = 640 owner : nobody

    cgi/pl = 750 owner:nobody

    all folders 755

    Thanks guys...

  4. #19
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Lightbulb

    Quote Originally Posted by Spiral View Post
    Permissions (Basic recommendations)
    phpSuExec | suPHP
    ...
    640 (owner:nobody) Non-Script Files, HTML, Images, etc
    750 (owner:nobody) CGI/Perl Scripts
    If no access to setup group ownerships then set Non-Script files to 644 and CGI / Perl Scripts to 755
    When using SuExec and SuPHP it is best to leave both user and group ownership at the stock-defaults (set to the username of the applicable cPanel account) and not as the shared Apache user or group "nobody". Changing group or user ownership to "nobody" will not help in regard to security; anything that is executed as the shared user "nobody" could still potentially have read access to the files the same way as if using "0644" but with normal user and group ownership.

  5. #20
    Registered Member
    Join Date
    Sep 2008
    Posts
    10

    Default

    755 (owner : owner) Folders
    600 (owner : owner) PHP Scripts
    400 (owner : owner) Configuration Files (config.php, etc)
    600 (owner : owner) Script files requiring WRITE access
    644 (owner : owner) Non-Script Files, HTML, Images, etc
    755 (owner : owner) CGI/Perl Scripts

    So I guess these are the ideal permissions for shared users? So how would one use umask to make sure users files/folders are using the above permissions? Can cPanel automatically adjust permissions for our users?

  6. #21
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Lightbulb

    Quote Originally Posted by dakman View Post
    Can cPanel automatically adjust permissions for our users?
    This is typically the responsibility of the Server Administration team to apply mass changes to file and directory permissions. A System Administrator could devise a basic shell script or commands to perform the desired mass-adjustment actions to access permissions and or ownership. The "find" command is what I suggest using as a starting point as you can define search criteria of what you're looking for and then have it run a command on each result (using the "-exec" option for "find").

  7. #22
    Registered Member
    Join Date
    Sep 2008
    Posts
    10

    Default

    Don, I understand cPanel wouldn't adjust this but if SuPHP is installed what would be the reason why a file would set to 644 if 600 are ideal permissions for PHP files? There's no point using 644 and SuPHP for security purposes as you're just making files still world readable...

    What does cPanel recommend for file permissions (for shared environments)? Are they inline with what Spiral says (besides not using owner:group)?

  8. #23
    BANNED
    Join Date
    Jun 2005
    Posts
    2,023

    Lightbulb

    I guess I'll chime in here and clear up some of the confusion ...

    To answer dakman's larger question about making folders readable to everyone even under SuPHP environments, this has to do primary with the simple fact that not everything is accessed as OWNER under SuPHP. Direct accessed HTML files, image files, css stylesheets and other related files are still accessed under the Apache process (user "nobody") exactly the same as Apache Module (DSO) based systems so user "nobody" still needs access EVEN WHEN USING SUPHP.

    The primary difference is when you are talking about PHP scripts themselves and files those scripts access directly from within those same scripts as those are all accessed as OWNER under SuPHP or phpSuExec.

    Now while it is necessary to still allow user "nobody" at least read and folder listing access even under SuPHP, this need not necessarily be done via the EVERYONE permission field but rather could be done just as easily using the GROUP permission field if you set the GROUP on those files and folders to "nobody" which would allow you to use "0750" for folders instead of "0755" and for files "0640" instead of "0644".

    For those who don't understand permissions fully, I'll take a quick moment to give everyone a quick crash course and then some of this conversation may make a lot more sense.

    Permissions have numerical values ....
    Code:
    1 = Executable (run as script) [FILES]  /  
        Directory List  [FOLDERS]
    2 = Writable Access
    4 = Readable Access
    Permission numbers are created by simply adding the permissions together that you want to grant. In example, to give ALL permissions, you would use a 7 (1 + 2 + 4) to grant EXECUTABLE / WRITEABLE / and READABLE access to a given file.

    Ah, but there is "3" digits with permissions you ask?

    Actually the permission setting is only one single digit but when you setup permissions on a file or folder you give a "3" digit number symbolizing the permissions for the OWNER of the file or folder, the GROUP of the file or folder, and then finally the permissions for EVERYONE else in the world.

    Thus, given the permission "640" on a file --

    The OWNER of the file has READ and WRITE access (6 = 4 + 2) ...

    The GROUP members have READ access only (4 = 4) ...

    EVERYONE else has no access whatsoever (0 = 0 ) ...

    Under SuPHP and phpSuExec, the relative permission bit for PHP scripts and the files those scripts access or call is the OWNER field.

    Under systems with PHP based on DSO (Apache Module), all scripts run as the common user "nobody" so access needs to be granted to the EVERYONE field [i]UNLESS the the user nobody is a member of the file or folder's GROUP and then the relative field would in that case actually be the GROUP instead of EVERYONE which is a bit more secure than globally allowing everyone access.

    It should be obvious from the conversation above but granting permissions to the EVERYONE field literally means everyone that has an account on the server has those permissions which is why it is extremely dangerous to set WRITABLE access to the EVERYONE field and even more dangerous setting the EXECUTABLE bit on that same field!

    NEVER SET '777' ON ANY FILE OR FOLDER NO MATTER WHAT TYPE OF PHP SYSTEM YOUR SERVER USES!

    For lack of a better word, I would say that many script authors are "morons" where it comes to permission recommendations but if you understand what the permissions really do and what they mean, you can easily make more intelligent decisions regarding file and folder permissions.

    Hope this helps ....

    PS: In case anyone doesn't know, the "EXECUTABLE" bit need not be set on PHP scripts (unless running directly as a shell script in SSH) and many don't realize this but under SuPHP (where the OWNER bit is relative), you can set PHP scripts as tightly as 0400 and they would work fine though 0640 is most common.

    SuPHP File Permission Recommendations:
    Code:
    0750 / 0755  Folders  (OWNER = Owner Login : GROUP = nobody) /
          Alternate if not able to set GROUP
    
    0600   General PHP Scripts
    
    0400   Configuration Scripts (IE: config.php)  and / or 
              scripts that complain about being insecure or WRITABLE
    
    0640  / 0644    General Files or Files that need WRITABLE access and this 
          includes all your standard HTML files, Stylesheets, Images, Media Files, Etc.
    
          ***  These would be the ones the script authors tell you incorrectly to do 0777 ***
    
    750  /  755    Perl / CGI Scripts
    Last edited by Spiral; 11-16-2009 at 04:58 PM.

  9. #24
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,549
    cPanel/WHM Access Level

    DataCenter Provider

    Lightbulb

    Quote Originally Posted by dakman View Post
    Don, I understand cPanel wouldn't adjust this but if SuPHP is installed what would be the reason why a file would set to 644 if 600 are ideal permissions for PHP files? There's no point using 644 and SuPHP for security purposes as you're just making files still world readable...

    What does cPanel recommend for file permissions (for shared environments)? Are they inline with what Spiral says (besides not using owner:group)?
    There is no official stance one way or the other regarding this extremely specific question; what to use is entirely up to the System Administrators and users that manage the servers and content. Not everyone may see a single recommendation as ideal for his or her unique situation and I would venture to say that people might prefer to decide for themselves how to configure their systems; each person may have a specific reason or need for requiring different access permissions.

  10. #25
    Registered Member
    Join Date
    Jul 2007
    Location
    UK
    Posts
    79

    Default

    excuse my late joining and ignorance.

    where can i check/set/force the default permissions for a file on saving

    eg a file previously set at 644 gets edited via cpanel on line file manager or via a script and on closing/saving suddenly gets a new permission of 444

    obviously it should stay the same as when it was opened.
    I have cpanel/whm installed and root access.

    thanks
    Last edited by caeos; 02-04-2010 at 10:24 PM. Reason: awful speeling!

  11. #26
    Registered Member
    Join Date
    Jan 2005
    Location
    London, UK
    Posts
    191

    Default

    I am also at the beginning stages of setting up one of my VPS's to use SuPHP, and wondered if the following SSH commands will help ensure correct file permissions as I'm migrating many accounts from a VPS that had PHP as cgi:

    find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
    find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;
    Found these here:
    http://forums.cpanel.net/f5/suphp-questions-77673.html

    I have also run /scripts/chownpublichtmls
    But now I have a few websites that when accessed they bring up a file download option instead of the website

    Any help appreciated.

    - Vincent

  12. #27
    BANNED
    Join Date
    Jun 2005
    Posts
    2,023

    Default

    [QUOTE]
    find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
    find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;
    [QUOTE]
    I'm really not overly thrilled with those commands but if you are going to do it that way, I would run the 777 line against "-type f" as well since you could have some script or web site files incorrectly set to 777 as well.

    (Please though if you want to run those at the very least put a '--' after the permission number and before the '{}' in those commands )

    Anyway, while setting folders to '755' and files to '644' would work, it is not really the most ideal and you can see my other posts for more details on what would be better permission selections for that.

    But now I have a few websites that when accessed they bring up a file download option instead of the website
    THIS HAS NOTHING TO DO WITH YOUR FILE OR FOLDER PERMISSIONS

    Your PHP interpreter is not running either because you don't have the configuration properly loaded or because your PHP is broken as sometimes happens when selecting conflicting or incompatible options at compile time when initially setting up PHP.

    Calling a broken or missing extension in PHP.INI can do this as well.

    On rarer occasions, I've seen the symlinks and paths to the PHP binaries mixed up and that too can cause your PHP not to execute properly.

    In any case, your PHP itself is not working and your Apache server subsequently doesn't know to handle the PHP files so it just treats them as downloadable file content to send to the web browser.

    I would take a look at the following files to see what is going on:

    /usr/local/apache/conf/php.conf
    /usr/local/lib/php.ini
    /opt/suphp/etc/suphp.conf

  13. #28
    BANNED
    Join Date
    Jun 2005
    Posts
    2,023

    Default

    ADDENDUM: Since you mentioned "a few sites", you may want to take a look at the .htaccess files in those sites and see if they are attempting to modify the PHP file type or handlers as this too can break the PHP parsing.

  14. #29
    Registered Member
    Join Date
    Sep 2002
    Location
    AZ
    Posts
    14

    Default

    I used to be able to upload my scripts by ftp and my folder would get 755 and php files would get 755 so that they would run in a browser.

    Now my files in the folders get set to 644 which means I have to go in an change permissions manually on hundreds of files to make them visible.

    I am on a dedicated server and cant seem to locate where I would make any setting changes.

    Where do I start?

    Any assistance would be greatly appreciated.

    Richard Wing

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 5
    Last Post: 04-19-2010, 09:28 AM
  2. Replies: 6
    Last Post: 07-13-2009, 12:27 PM
  3. Folder Permission 755 and File Permission 644 safe ?
    By smksa in forum cPanel & WHM Discussions
    Replies: 6
    Last Post: 07-13-2009, 12:27 PM
  4. File permissions being reset to 644
    By cemper in forum cPanel & WHM Discussions
    Replies: 3
    Last Post: 03-21-2007, 05:15 PM
  5. chmod 644 for files and 755 for directories
    By CoolMike in forum cPanel & WHM Discussions
    Replies: 1
    Last Post: 11-05-2005, 04:24 AM
bargain