File Ownership and Permissions

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,440
1,004
313
cPanel Access Level
Root Administrator
File ownerships and permissions

When working with files and directories on a Linux machine, we often see strings of numbers and letters next to each item. 777, 644, rwxrwxrwx, rwx------, and other combinations will show up when checking files in terminal or the cPanel File Manager. This guide will explain what these all mean, why should you care if they are correct, and how they relate to your daily tasks as a system administrator.

What do these values mean?

These letters and numbers make up the set of permissions granted to files and directories in a Linux filesystem. As the name would imply, they allow or restrict users "permission" to read, write, and execute files on the machine. There are three different permission types on the system:
  • read - this permission allows a user to view the contents of a file or directory
  • write - this permission allows a user to modify the contents of a file or directory
  • execute - this permission allows a user to execute the file or access contents of a directory
These file permissions are assigned to three groups of users - the owner of the file, the group of the file, and other users, which are explained here:
  • owner – this is the owner of the file. Changes made to ownership permissions will not impact other users.
  • group – this is the group the file is assigned to. Just as with changes to the "owner" permissions, these only apply to the group that has been assigned to the file or directory.
  • all users – these are permissions set for all the other users on the machine that are not the owner or in the group.
When you see permissions in the format of rw-r--r--, such as what you might see when running the "ls -lah" command on a server's command line, those are showing the Read, Write, and Execute permissions on the file or directory. These can either be expressed with letters or with numbers, where r=4, w=2, and x=1, and then those numbers are added together for each group of three. For example, rwxrwxrwx is equivalent to 777, rw-r--r-- is 644, and rwxrwxr-x would be 775. Each group of three letters, or each number, applies to the different Linux users on the system. Here is a chart showing what users these permissions apply to:

Screenshot5.png

Once you understand these letters and number values, we're ready to analyze permissions on the Linux filesystem.

Default Permissions

In a Linux system, default file permissions are 644, and directories are 755. Let's take a look at one example file on the system and break down what we are seeing.

screenshot2.png

From that image, we know the following about the permissions of that file:
  • This is a file and not a directory. The first bit of the permissions string is "-" which indicates this is a normal file. If this were the "d" it would indicate we are looking at a directory.
  • The permissions are 644. The "-rw-r--r--" is a text representation of the permissions, where "r" "w" and "x" stand for "read" "write" and "execute"
  • It is owned by the "cptest" user.
  • It is assigned to the cptest group.
This means the following things can happen with that text file:
  • The owner of the file, cptest, can read, write, or remove that file. (this is the first "rw-" portion of the permissions)
  • Any user in the cptest group can read the contents of the file, but can not edit or remove it. (This is the second block of "r--")
  • All other users on the system can read the contents of the file but can not edit or remove it. (The third and final set of permissions, "r--")
Why should you care?

Permissions should be granted with care as you do not want to grant more access than what is necessary to anything on the system. We often see cases where an entire user account has all files and directories set to 777 permissions in an attempt to get a script to work properly. While this may get things working it is not the correct solution as this opens up every file and directory to be accessed or modified by any user on the system.

It's also important to have the correct permissions so Apache can process the files under user's public_html directories. If the files are owned by root, such as if an administrator unzipped a software installer for a client, Apache will have permissions issues reading that file, causing browser errors.

Common Administration tasks

Occasionally, you will need to make changes to permissions or ownerships on your machine. This could happen because you are installing software on an account and need to change permissions on a setup file after the initial configuration, or because a bad command has been run on the system and needs to be fixed.

To change permissions on files and directories we use the "chmod" command and to change the ownership we use the "chown" command. These stand for "change mode" and "change owner," respectively, and we'll see examples of how to use both of these commands below.

Example 1 - Changing ownership on a file

In this example, we have downloaded a configuration file to a user's account while logged in as the root user. In order for the cPanel user to be able to do anything with that file we'll need to change the ownership over to them, and make sure it has the correct permissions. Here is what we see after downloading our installer.php configuration file to the user's public_html directory:

screenshot3.png

This is a typical scenario for a brand new cPanel account. They have the default files and directories setup by EasyApache 4 and AutoSSL, but we need to make sure they can access that installer.php file. We can use the following chown command to change the ownership of that file to the cptest user:

Code:
chown cptest:cptest installer.php
This command changes the owner and the group, represented by the user:group portion of the command, to be the cptest user. After running that, we'll see this is now assigned to that cptest user when we check the file again:

screenshot4.png

Since that file has 644 permissions already, and is now owned by the cptest user, they can visit that PHP page in a browser to start the installation. Although we didn't need to change permissions in this example, here is the command we would have needed to change the permissions to 644, the standard permissions for a PHP file, just so you have it for reference:

Code:
chmod 644 installer.php
Example 2 - A command was accidentally ran that changed file ownership for a cPanel account

Another common reason that you'll need to fix permissions on a site is because of a bad command that was run on an account. If a user mis-typed a chown or chmod command they could accidentally change all of the permissions or ownerships, breaking their website and email accounts. There are two ways this can be easily resolved:

-restore the account from a recent backup using the WHM >> Backup Restoration tool (recommended method)
or
-manually fix the permissions on the account

To manually fix the ownerships and permissions for just one cPanel user, you might use something like the following command:

Code:
FIXUSER=cpanel_username; if [ "$FIXUSER" != "" ]; then FIXPATH=$(eval echo ~$FIXUSER); echo "Repairing $FIXPATH"; find $FIXPATH \( -type f -links +1 -printf "skipping %p because it has %n hard links\n" \) -o \( -type f -links 1 -o -type d \) -execdir chown $FIXUSER:$FIXUSER {} \+; fi; chown $FIXUSER:nobody /home/$FIXUSER/public_html ; echo "Fixing mail permissions"; /scripts/mailperm $FIXUSER
You would just need to change the "cpanel_username" in that example above to the actual cPanel user you are working with.

NOTE: NOTE: cPanel Technical Support cannot provide assistance with the above or any other custom commands. The example given above is provided as a courtesy to system administrators, you should be sure to understand any commands before executing them on a live system. Restoring the account from a backup is still the safest method to get things working properly.

Example 3 - Ownership was changed on the entire /home directory

If a command was executed on the system that changed the ownership of everything in the /home directory, this is a bit more tricky to restore from and will require assistance from an admin familiar with fixing Linux permissions. If your /home directory is on its own partition that will allow you to avoid the security issues presented by hardlinks. However, if your system doesn't have a separate partition for the /home directory, these bad permissions could allow users to create links to sensitive areas of the filesystem. While a complete security guide is beyond the scope of this document, restoring accounts from backups is a quick solution to this type of error, although we do have this command available, with the same caveat as the per-domain command above that we do not provide support for custom commands:

Code:
awk -F ':' '!/^(nobody|root)/ { print $1; }' /etc/domainusers | sort | uniq | while read FIXUSER; do if [ "$FIXUSER" != "" ]; then FIXPATH=$(eval echo ~$FIXUSER); echo "Repairing $FIXPATH"; find $FIXPATH \( -type f -links +1 -printf "skipping %p because it has %n hard links\n" \) -o \( -type f -links 1 -o -type d \) -execdir chown $FIXUSER:$FIXUSER {} \+; fi; chown $FIXUSER:nobody /home/$FIXUSER/public_html ; done; echo "Fixing mail permissions"; /scripts/mailperm
This command sorts through each user, fixes the ownership, and reports the presence of any hard links that need to be manually dealt with.

Example 4 - A command changed ownership or permissions across the entire server

Unfortunately, this is one scenario that can't be easily recovered from. Since every file on the machine has been modified there is not a reliable way to fix the system. The best thing to do in this case would be to create a new server with a fresh install of cPanel and restore your sites from backups.

Conclusion

I hope this guide has given you more inside into permissions and how they relate to typical system administration duties. If you have any other questions you can always visit our Forums or contact our Technical Support Team and we'll be happy to help!
 
Last edited: