The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Why are 644 and 755 unix permissions ideal for files/directories in public folders?

Discussion in 'Security' started by dakman, Nov 1, 2009.

  1. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    This is typically the responsibility of the Server Administration team to apply mass changes to file and directory permissions. A System Administrator could devise a basic shell script or commands to perform the desired mass-adjustment actions to access permissions and or ownership. The "find" command is what I suggest using as a starting point as you can define search criteria of what you're looking for and then have it run a command on each result (using the "-exec" option for "find").
     
  2. dakman

    dakman Member

    Joined:
    Sep 9, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Don, I understand cPanel wouldn't adjust this but if SuPHP is installed what would be the reason why a file would set to 644 if 600 are ideal permissions for PHP files? There's no point using 644 and SuPHP for security purposes as you're just making files still world readable...

    What does cPanel recommend for file permissions (for shared environments)? Are they inline with what Spiral says (besides not using owner:group)?
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I guess I'll chime in here and clear up some of the confusion ...

    To answer dakman's larger question about making folders readable to everyone even under SuPHP environments, this has to do primary with the simple fact that not everything is accessed as OWNER under SuPHP. Direct accessed HTML files, image files, css stylesheets and other related files are still accessed under the Apache process (user "nobody") exactly the same as Apache Module (DSO) based systems so user "nobody" still needs access EVEN WHEN USING SUPHP.

    The primary difference is when you are talking about PHP scripts themselves and files those scripts access directly from within those same scripts as those are all accessed as OWNER under SuPHP or phpSuExec.

    Now while it is necessary to still allow user "nobody" at least read and folder listing access even under SuPHP, this need not necessarily be done via the EVERYONE permission field but rather could be done just as easily using the GROUP permission field if you set the GROUP on those files and folders to "nobody" which would allow you to use "0750" for folders instead of "0755" and for files "0640" instead of "0644".

    For those who don't understand permissions fully, I'll take a quick moment to give everyone a quick crash course and then some of this conversation may make a lot more sense.

    Permissions have numerical values ....
    Code:
    1 = Executable (run as script) [FILES]  /  
        Directory List  [FOLDERS]
    2 = Writable Access
    4 = Readable Access
    
    Permission numbers are created by simply adding the permissions together that you want to grant. In example, to give ALL permissions, you would use a 7 (1 + 2 + 4) to grant EXECUTABLE / WRITEABLE / and READABLE access to a given file.

    Ah, but there is "3" digits with permissions you ask?

    Actually the permission setting is only one single digit but when you setup permissions on a file or folder you give a "3" digit number symbolizing the permissions for the OWNER of the file or folder, the GROUP of the file or folder, and then finally the permissions for EVERYONE else in the world.

    Thus, given the permission "640" on a file --

    The OWNER of the file has READ and WRITE access (6 = 4 + 2) ...

    The GROUP members have READ access only (4 = 4) ...

    EVERYONE else has no access whatsoever (0 = 0 ) ...

    Under SuPHP and phpSuExec, the relative permission bit for PHP scripts and the files those scripts access or call is the OWNER field.

    Under systems with PHP based on DSO (Apache Module), all scripts run as the common user "nobody" so access needs to be granted to the EVERYONE field UNLESS the the user nobody is a member of the file or folder's GROUP and then the relative field would in that case actually be the GROUP instead of EVERYONE which is a bit more secure than globally allowing everyone access.

    It should be obvious from the conversation above but granting permissions to the EVERYONE field literally means everyone that has an account on the server has those permissions which is why it is extremely dangerous to set WRITABLE access to the EVERYONE field and even more dangerous setting the EXECUTABLE bit on that same field!

    NEVER SET '777' ON ANY FILE OR FOLDER NO MATTER WHAT TYPE OF PHP SYSTEM YOUR SERVER USES!

    For lack of a better word, I would say that many script authors are "morons" where it comes to permission recommendations but if you understand what the permissions really do and what they mean, you can easily make more intelligent decisions regarding file and folder permissions.

    Hope this helps ....

    PS: In case anyone doesn't know, the "EXECUTABLE" bit need not be set on PHP scripts (unless running directly as a shell script in SSH) and many don't realize this but under SuPHP (where the OWNER bit is relative), you can set PHP scripts as tightly as 0400 and they would work fine though 0640 is most common.

    SuPHP File Permission Recommendations:
    Code:
    0750 / 0755  Folders  (OWNER = Owner Login : GROUP = nobody) /
          Alternate if not able to set GROUP
    
    0600   General PHP Scripts
    
    0400   Configuration Scripts (IE: config.php)  and / or 
              scripts that complain about being insecure or WRITABLE
    
    0640  / 0644    General Files or Files that need WRITABLE access and this 
          includes all your standard HTML files, Stylesheets, Images, Media Files, Etc.
    
          ***  These would be the ones the script authors tell you incorrectly to do 0777 ***
    
    750  /  755    Perl / CGI Scripts
    
     
    #23 Spiral, Nov 16, 2009
    Last edited: Nov 16, 2009
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    There is no official stance one way or the other regarding this extremely specific question; what to use is entirely up to the System Administrators and users that manage the servers and content. Not everyone may see a single recommendation as ideal for his or her unique situation and I would venture to say that people might prefer to decide for themselves how to configure their systems; each person may have a specific reason or need for requiring different access permissions.
     
  5. caeos

    caeos Well-Known Member

    Joined:
    Jul 18, 2007
    Messages:
    79
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    UK
    excuse my late joining and ignorance.

    where can i check/set/force the default permissions for a file on saving

    eg a file previously set at 644 gets edited via cpanel on line file manager or via a script and on closing/saving suddenly gets a new permission of 444

    obviously it should stay the same as when it was opened.
    I have cpanel/whm installed and root access.

    thanks
     
    #25 caeos, Feb 4, 2010
    Last edited: Feb 4, 2010
  6. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    I am also at the beginning stages of setting up one of my VPS's to use SuPHP, and wondered if the following SSH commands will help ensure correct file permissions as I'm migrating many accounts from a VPS that had PHP as cgi:

    find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
    find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;
    Found these here:
    http://forums.cpanel.net/f5/suphp-questions-77673.html

    I have also run /scripts/chownpublichtmls
    But now I have a few websites that when accessed they bring up a file download option instead of the website :confused:

    Any help appreciated.

    - Vincent
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    ADDENDUM: Since you mentioned "a few sites", you may want to take a look at the .htaccess files in those sites and see if they are attempting to modify the PHP file type or handlers as this too can break the PHP parsing.
     
  9. richardwing

    richardwing Member

    Joined:
    Sep 18, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    AZ
    I used to be able to upload my scripts by ftp and my folder would get 755 and php files would get 755 so that they would run in a browser.

    Now my files in the folders get set to 644 which means I have to go in an change permissions manually on hundreds of files to make them visible.

    I am on a dedicated server and cant seem to locate where I would make any setting changes.

    Where do I start?

    Any assistance would be greatly appreciated.

    Richard Wing
     

Share This Page