Ideal permission for public_html

AMiRU

Registered
Apr 22, 2012
2
0
51
cPanel Access Level
Root Administrator
I wonder what's the ideal permission for public_html, 750 or 755?

Seems like with 755, if a user upload some kind of a malicious code, he/she can access the whole accounts hosted under the same server. To me, 750 sound better but /scripts/chownpublichtml will change permission to 755 and change ownership of public_html to user:user.

I wonder if there is a way to change this.

Please advice, thank you.
 

m8internet

Member
Jan 2, 2011
21
0
51
Cumbernauld, Scotland, UK
public_html should be 750
Any sub-folder should then be 777 and these are the ones where public upload is permitted
All other sub-folders should be 755 and these will not normally allow public upload
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,606
33
238
somewhere over the rainbow
cPanel Access Level
Root Administrator
Is there a reason you are running /scripts/chownpublichtml on the machine? Just wondered why it was being used or if there's something else you have that is triggering that script.
 

NetMantis

BANNED
Apr 22, 2012
116
1
66
Utah
cPanel Access Level
DataCenter Provider
For public_html folder itself, that should be account owner owned with a group of 'nobody' and the permissions should be 750 for the folder

Subfolders however are a little bit trickier and depend heavily on what type of PHP you are running.

M8internet's post above is partially correct but would be valid if and only if you are running PHP as DSO (mod_php) which is a configuration I personally would never recommend to anyone because of the extensive security problems associated with running PHP in that manner.

If you are running PHP as any other type such as the now more common SuPHP or FCGI then all your sub-folders beneath the public_html folder would be 755 regardless of whether you wanted to use them as writable or non-writable folders.

Incidentally 755 under either of these types of PHP configurations is actually itself writable.

PHP scripts under DSO based PHP would usually be 644 while under SuPHP or FCGI, you could feasibly make the scripts as tight as 400 and still work though 600 would be most recommended.

CGI (*.cgi, *.pl) and some PHP scripts such as those called from crons would be 755 permission

Non-Script files such as html files, css files, images, and so forth would be 644 permission

If you are running either SuPHP or FCGI, you can (and should) safely disregard any instructions from any program you have telling you to set '777' or '666' permissions anyway. Those permissions only pertain to DSO based PHP only. Under SuPHP or FCGI, you would set 755 for any folders you are told to set 777 for a program and you would set 644 for any files you are told to set to '666'.

A side little trivia footnote (a lot of people surprisingly don't know) is if you do set 777 on any files or folders on either a SuPHP or FCGI system, it will actually break your web program you are trying to run and at the best of cases cause severe performance slowdowns and at the worst actually crash the site completely with an error 500 condition. This is because 777 under SuPHP or FCGI systems is roughly equivalent to 000 or no access. Most program authors when writing documentation for their programs fail to tell you that and just blindly assume that you are running DSO (mod_php) based PHP when writing documentation.

But anyway, back to your base original question, public_html itself should be 750.

I hope this post is informative and helpful to you sorting out your permission issues.
 
Last edited:

AMiRU

Registered
Apr 22, 2012
2
0
51
cPanel Access Level
Root Administrator
I was getting Internal Server Error when I changed public_html folder to 750, I google and read that I should run /scripts/chownpublichtmls

I seem to have find the solution to my problem, I ran the following script
Code:
for i  in `cat /etc/trueuserdomains | awk '{print $2}'`
do
chown $i.$i /home/$i -R;
chown $i.mail /home/$i/etc -R;
chown $i.nobody /home/$i/public_html;
chmod 750 /home/$i/public_html;
done;
That should be it right?