Why are 644 and 755 unix permissions ideal for files/directories in public folders?

[cPanelDon]

Can cPanel automatically adjust permissions for our users?

This is typically the responsibility of the Server Administration team to apply mass changes to file and directory permissions. A System Administrator could devise a basic shell script or commands to perform the desired mass-adjustment actions to access permissions and or ownership. The "find" command is what I suggest using as a starting point as you can define search criteria of what you're looking for and then have it run a command on each result (using the "-exec" option for "find").

 

[dakman]

Don, I understand cPanel wouldn't adjust this but if SuPHP is installed what would be the reason why a file would set to 644 if 600 are ideal permissions for PHP files? There's no point using 644 and SuPHP for security purposes as you're just making files still world readable...

What does cPanel recommend for file permissions (for shared environments)? Are they inline with what Spiral says (besides not using owner:group)?

 

[Spiral]

I guess I'll chime in here and clear up some of the confusion ...

To answer dakman's larger question about making folders readable to everyone even under SuPHP environments, this has to do primary with the simple fact that not everything is accessed as OWNER under SuPHP. Direct accessed HTML files, image files, css stylesheets and other related files are still accessed under the Apache process (user "nobody") exactly the same as Apache Module (DSO) based systems so user "nobody" still needs access EVEN WHEN USING SUPHP.

The primary difference is when you are talking about PHP scripts themselves and files those scripts access directly from within those same scripts as those are all accessed as OWNER under SuPHP or phpSuExec.

Now while it is necessary to still allow user "nobody" at least read and folder listing access even under SuPHP, this need not necessarily be done via the EVERYONE permission field but rather could be done just as easily using the GROUP permission field if you set the GROUP on those files and folders to "nobody" which would allow you to use "0750" for folders instead of "0755" and for files "0640" instead of "0644".

For those who don't understand permissions fully, I'll take a quick moment to give everyone a quick crash course and then some of this conversation may make a lot more sense.

Permissions have numerical values ....

1 = Executable (run as script) [FILES]  /  
    Directory List  [FOLDERS]
2 = Writable Access
4 = Readable Access

Permission numbers are created by simply adding the permissions together that you want to grant. In example, to give ALL permissions, you would use a 7 (1 + 2 + 4) to grant EXECUTABLE / WRITEABLE / and READABLE access to a given file.

Ah, but there is "3" digits with permissions you ask?

Actually the permission setting is only one single digit but when you setup permissions on a file or folder you give a "3" digit number symbolizing the permissions for the OWNER of the file or folder, the GROUP of the file or folder, and then finally the permissions for EVERYONE else in the world.

Thus, given the permission "640" on a file --

The OWNER of the file has READ and WRITE access (6 = 4 + 2) ...

The GROUP members have READ access only (4 = 4) ...

EVERYONE else has no access whatsoever (0 = 0 ) ...

Under SuPHP and phpSuExec, the relative permission bit for PHP scripts and the files those scripts access or call is the OWNER field.

Under systems with PHP based on DSO (Apache Module), all scripts run as the common user "nobody" so access needs to be granted to the EVERYONE field UNLESS the the user nobody is a member of the file or folder's GROUP and then the relative field would in that case actually be the GROUP instead of EVERYONE which is a bit more secure than globally allowing everyone access.

It should be obvious from the conversation above but granting permissions to the EVERYONE field literally means everyone that has an account on the server has those permissions which is why it is extremely dangerous to set WRITABLE access to the EVERYONE field and even more dangerous setting the EXECUTABLE bit on that same field!

NEVER SET '777' ON ANY FILE OR FOLDER NO MATTER WHAT TYPE OF PHP SYSTEM YOUR SERVER USES!

For lack of a better word, I would say that many script authors are "morons" where it comes to permission recommendations but if you understand what the permissions really do and what they mean, you can easily make more intelligent decisions regarding file and folder permissions.

Hope this helps ....

PS: In case anyone doesn't know, the "EXECUTABLE" bit need not be set on PHP scripts (unless running directly as a shell script in SSH) and many don't realize this but under SuPHP (where the OWNER bit is relative), you can set PHP scripts as tightly as 0400 and they would work fine though 0640 is most common.

SuPHP File Permission Recommendations:

0750 / 0755  Folders  (OWNER = Owner Login : GROUP = nobody) /
      Alternate if not able to set GROUP

0600   General PHP Scripts

0400   Configuration Scripts (IE: config.php)  and / or 
          scripts that complain about being insecure or WRITABLE

0640  / 0644    General Files or Files that need WRITABLE access and this 
      includes all your standard HTML files, Stylesheets, Images, Media Files, Etc.

      ***  These would be the ones the script authors tell you incorrectly to do 0777 ***

750  /  755    Perl / CGI Scripts

 

[cPanelDon]

Don, I understand cPanel wouldn't adjust this but if SuPHP is installed what would be the reason why a file would set to 644 if 600 are ideal permissions for PHP files? There's no point using 644 and SuPHP for security purposes as you're just making files still world readable...

What does cPanel recommend for file permissions (for shared environments)? Are they inline with what Spiral says (besides not using owner:group)?

There is no official stance one way or the other regarding this extremely specific question; what to use is entirely up to the System Administrators and users that manage the servers and content. Not everyone may see a single recommendation as ideal for his or her unique situation and I would venture to say that people might prefer to decide for themselves how to configure their systems; each person may have a specific reason or need for requiring different access permissions.

 

[caeos]

excuse my late joining and ignorance.

where can i check/set/force the default permissions for a file on saving

eg a file previously set at 644 gets edited via cpanel on line file manager or via a script and on closing/saving suddenly gets a new permission of 444

obviously it should stay the same as when it was opened.
I have cpanel/whm installed and root access.

thanks

 

[mambovince]

I am also at the beginning stages of setting up one of my VPS's to use SuPHP, and wondered if the following SSH commands will help ensure correct file permissions as I'm migrating many accounts from a VPS that had PHP as cgi:

find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;
Found these here:
http://forums.cpanel.net/f5/suphp-questions-77673.html

I have also run /scripts/chownpublichtmls
But now I have a few websites that when accessed they bring up a file download option instead of the website

Any help appreciated.

- Vincent

 

[Spiral]

find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;

I'm really not overly thrilled with those commands but if you are going to do it that way, I would run the 777 line against "-type f" as well since you could have some script or web site files incorrectly set to 777 as well.

(Please though if you want to run those at the very least put a '--' after the permission number and before the '{}' in those commands )

Anyway, while setting folders to '755' and files to '644' would work, it is not really the most ideal and you can see my other posts for more details on what would be better permission selections for that.

But now I have a few websites that when accessed they bring up a file download option instead of the website

THIS HAS NOTHING TO DO WITH YOUR FILE OR FOLDER PERMISSIONS

Your PHP interpreter is not running either because you don't have the configuration properly loaded or because your PHP is broken as sometimes happens when selecting conflicting or incompatible options at compile time when initially setting up PHP.

Calling a broken or missing extension in PHP.INI can do this as well.

On rarer occasions, I've seen the symlinks and paths to the PHP binaries mixed up and that too can cause your PHP not to execute properly.

In any case, your PHP itself is not working and your Apache server subsequently doesn't know to handle the PHP files so it just treats them as downloadable file content to send to the web browser.

I would take a look at the following files to see what is going on:

/usr/local/apache/conf/php.conf
/usr/local/lib/php.ini
/opt/suphp/etc/suphp.conf

 

[Spiral]

ADDENDUM: Since you mentioned "a few sites", you may want to take a look at the .htaccess files in those sites and see if they are attempting to modify the PHP file type or handlers as this too can break the PHP parsing.

 

[richardwing]

I used to be able to upload my scripts by ftp and my folder would get 755 and php files would get 755 so that they would run in a browser.

Now my files in the folders get set to 644 which means I have to go in an change permissions manually on hundreds of files to make them visible.

I am on a dedicated server and cant seem to locate where I would make any setting changes.

Where do I start?

Any assistance would be greatly appreciated.

Richard Wing