PHP-FPM and files permissions (.htaccess especially)

[Seb45874]

Hi,

Correct me if I'm wrong :

PHP-FPM running, so is it correct that website files ownerships and permissions should be for best security :

500 for directories with owner : user:user
400 for files with owner user:user.

So why does the .htaccess needs to be 404 to work ?
Why does directories needs to be 505 to work ?
Why does files works with 400 and does not follow the logic of the others by needing a 404 ?
thanks.

 

[sparek-3]

The .htaccess file is read by the Apache user - nobody - so if the file is owned by user, then the others bit would also have to have read permissions.

HTML files and any non-PHP (or CGI) script has to be readable by the Apache user (if you're talking about files in a VirtualHost's DocumentRoot).

PHP scripts can have a permission of 400 (which means the read bit is enabled for the owner and nothing for the group or other bits)

But files, like raw HTML files, have to be readable by the other bit, so a permission of 404 (read bit for owner and read bit for others) needs to be set. Technically, you could set it to 004 (read bit on others bit only), but then you won't be able to read the file, download it with FTP or edit it in the cPanel.

Directories need the execute bit, and the Apache user needs to be able to traverse into those directories, that's why 505 is needed (read bit for owner and others and execute bit for owner and others).

Typically you would set directories to 755 which gives the owner full access (read/write/execute) and group and others read and execute access.

Typically you would set files to 644 which gives the owner read and write access and group and others read access

If the file is a PHP script, being executed in a PHP-FPM environment or an environment where PHP is executed as the VirtualHost owner, then you can get by with setting that script to 600, read and write access to the owner only.

I would recommend using 600 permissions on PHP config files at the very least. I suppose ideally, you could set all PHP files to 600 to prevent any other user on the server from possibly reading the files, but this is especially true for config files that contain sensitive information. But there's not a clear cut way to do this on a per file type basis. For one: How are you uploading or creating the files? And how is that application suppose to know that they are PHP scripts? For another: Not everyone uses PHP-FPM or executes PHP in a VirtualHost owner environment. This is less common than it was many years ago, but when PHP first came out it was run as a DSO module in PHP, executing as the Apache user, which necessitated higher file permissions to run and execute. I'm not sure how many such environments still exists, but I'm sure there still are some (although, maybe not cPanel environments). In my opinion, this comes down to end-user education. Instead of depending on some application to do this for you, understand what proper file permissions are and act accordingly.

 

[Seb45874]

Dear Sparek 3,

You are perhaps not aware of this, but your answer is the best and clearest answer conderning this problematic i've seen on my humble researches on the web !

How to thank you ?

The .htaccess file is read by the Apache user - nobody - so if the file is owned by user, then the others bit would also have to have read permissions.

HTML files and any non-PHP (or CGI) script has to be readable by the Apache user (if you're talking about files in a VirtualHost's DocumentRoot).

PHP scripts can have a permission of 400 (which means the read bit is enabled for the owner and nothing for the group or other bits)

But files, like raw HTML files, have to be readable by the other bit, so a permission of 404 (read bit for owner and read bit for others) needs to be set. Technically, you could set it to 004 (read bit on others bit only), but then you won't be able to read the file, download it with FTP or edit it in the cPanel.

Directories need the execute bit, and the Apache user needs to be able to traverse into those directories, that's why 505 is needed (read bit for owner and others and execute bit for owner and others).

Typically you would set directories to 755 which gives the owner full access (read/write/execute) and group and others read and execute access.

Typically you would set files to 644 which gives the owner read and write access and group and others read access

If the file is a PHP script, being executed in a PHP-FPM environment or an environment where PHP is executed as the VirtualHost owner, then you can get by with setting that script to 600, read and write access to the owner only.

I would recommend using 600 permissions on PHP config files at the very least. I suppose ideally, you could set all PHP files to 600 to prevent any other user on the server from possibly reading the files, but this is especially true for config files that contain sensitive information. But there's not a clear cut way to do this on a per file type basis. For one: How are you uploading or creating the files? And how is that application suppose to know that they are PHP scripts? For another: Not everyone uses PHP-FPM or executes PHP in a VirtualHost owner environment. This is less common than it was many years ago, but when PHP first came out it was run as a DSO module in PHP, executing as the Apache user, which necessitated higher file permissions to run and execute. I'm not sure how many such environments still exists, but I'm sure there still are some (although, maybe not cPanel environments). In my opinion, this comes down to end-user education. Instead of depending on some application to do this for you, understand what proper file permissions are and act accordingly.

 

[cPanelLauren]

Hello, we're happy to see you were able to get an answer to your question! Thank you @sparek-3 for the detailed explanation!