Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PHP-FPM and files permissions (.htaccess especially)

Discussion in 'EasyApache' started by Seb45874, Apr 21, 2018.

  1. Seb45874

    Seb45874 Registered

    Joined:
    Apr 21, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    france
    cPanel Access Level:
    Root Administrator
    Hi,

    Correct me if I'm wrong :

    PHP-FPM running, so is it correct that website files ownerships and permissions should be for best security :

    500 for directories with owner : user:user
    400 for files with owner user:user.

    So why does the .htaccess needs to be 404 to work ?
    Why does directories needs to be 505 to work ?
    Why does files works with 400 and does not follow the logic of the others by needing a 404 ?
    thanks.
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,781
    Likes Received:
    123
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    The .htaccess file is read by the Apache user - nobody - so if the file is owned by user, then the others bit would also have to have read permissions.

    HTML files and any non-PHP (or CGI) script has to be readable by the Apache user (if you're talking about files in a VirtualHost's DocumentRoot).

    PHP scripts can have a permission of 400 (which means the read bit is enabled for the owner and nothing for the group or other bits)

    But files, like raw HTML files, have to be readable by the other bit, so a permission of 404 (read bit for owner and read bit for others) needs to be set. Technically, you could set it to 004 (read bit on others bit only), but then you won't be able to read the file, download it with FTP or edit it in the cPanel.

    Directories need the execute bit, and the Apache user needs to be able to traverse into those directories, that's why 505 is needed (read bit for owner and others and execute bit for owner and others).

    Typically you would set directories to 755 which gives the owner full access (read/write/execute) and group and others read and execute access.

    Typically you would set files to 644 which gives the owner read and write access and group and others read access

    If the file is a PHP script, being executed in a PHP-FPM environment or an environment where PHP is executed as the VirtualHost owner, then you can get by with setting that script to 600, read and write access to the owner only.

    I would recommend using 600 permissions on PHP config files at the very least. I suppose ideally, you could set all PHP files to 600 to prevent any other user on the server from possibly reading the files, but this is especially true for config files that contain sensitive information. But there's not a clear cut way to do this on a per file type basis. For one: How are you uploading or creating the files? And how is that application suppose to know that they are PHP scripts? For another: Not everyone uses PHP-FPM or executes PHP in a VirtualHost owner environment. This is less common than it was many years ago, but when PHP first came out it was run as a DSO module in PHP, executing as the Apache user, which necessitated higher file permissions to run and execute. I'm not sure how many such environments still exists, but I'm sure there still are some (although, maybe not cPanel environments). In my opinion, this comes down to end-user education. Instead of depending on some application to do this for you, understand what proper file permissions are and act accordingly.
     
    Seb45874 and cPanelLauren like this.
  3. Seb45874

    Seb45874 Registered

    Joined:
    Apr 21, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    france
    cPanel Access Level:
    Root Administrator
    Dear Sparek 3,

    You are perhaps not aware of this, but your answer is the best and clearest answer conderning this problematic i've seen on my humble researches on the web !

    How to thank you ?


     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,552
    Likes Received:
    253
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello, we're happy to see you were able to get an answer to your question! Thank you @sparek-3 for the detailed explanation!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Seb45874 likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice