I guess I'll chime in here and clear up some of the confusion ...
To answer dakman's larger question about making folders readable to everyone even under SuPHP environments, this has to do primary with the simple fact that not everything is accessed as
OWNER under SuPHP. Direct accessed HTML files, image files, css stylesheets and other related files are still accessed under the Apache process (user "nobody") exactly the same as Apache Module (DSO) based systems so user "nobody" still needs access
EVEN WHEN USING SUPHP.
The primary difference is when you are talking about PHP scripts themselves and files those scripts access directly from within those same scripts as those are all accessed as
OWNER under SuPHP or phpSuExec.
Now while it is necessary to still allow user "nobody" at least read and folder listing access even under SuPHP, this need not necessarily be done via the
EVERYONE permission field but rather could be done just as easily using the
GROUP permission field if you set the
GROUP on those files and folders to "nobody" which would allow you to use "0750" for folders instead of "0755" and for files "0640" instead of "0644".
For those who don't understand permissions fully, I'll take a quick moment to give everyone a quick crash course and then some of this conversation may make a lot more sense.
Permissions have numerical values ....
Code:
1 = Executable (run as script) [FILES] /
Directory List [FOLDERS]
2 = Writable Access
4 = Readable Access
Permission numbers are created by simply adding the permissions together that you want to grant. In example, to give ALL permissions, you would use a 7 (1 + 2 + 4) to grant EXECUTABLE / WRITEABLE / and READABLE access to a given file.
Ah, but there is "3" digits with permissions you ask?
Actually the permission setting is only one single digit but when you setup permissions on a file or folder you give a "3" digit number symbolizing the permissions for the
OWNER of the file or folder, the
GROUP of the file or folder, and then finally the permissions for
EVERYONE else in the world.
Thus, given the permission "640" on a file --
The
OWNER of the file has READ and WRITE access (6 = 4 + 2) ...
The
GROUP members have READ access only (4 = 4) ...
EVERYONE else has no access whatsoever (0 = 0 ) ...
Under SuPHP and phpSuExec, the relative permission bit for PHP scripts and the files those scripts access or call is the
OWNER field.
Under systems with PHP based on DSO (Apache Module), all scripts run as the common user "nobody" so access needs to be granted to the
EVERYONE field
UNLESS the the user nobody is a member of the file or folder's GROUP and then the relative field would in that case actually be the GROUP instead of EVERYONE which is a bit more secure than globally allowing everyone access.
It should be obvious from the conversation above but granting permissions to the EVERYONE field literally means everyone that has an account on the server has those permissions which is why it is extremely dangerous to set WRITABLE access to the EVERYONE field and even more dangerous setting the EXECUTABLE bit on that same field!
NEVER SET '777' ON ANY FILE OR FOLDER NO MATTER WHAT TYPE OF PHP SYSTEM YOUR SERVER USES!
For lack of a better word, I would say that many script authors are "morons" where it comes to permission recommendations but if you understand what the permissions really do and what they mean, you can easily make more intelligent decisions regarding file and folder permissions.
Hope this helps ....
PS: In case anyone doesn't know, the "EXECUTABLE" bit need not be set on PHP scripts (unless running directly as a shell script in SSH) and many don't realize this but under SuPHP (where the OWNER bit is relative), you can set PHP scripts as tightly as 0400 and they would work fine though 0640 is most common.
SuPHP File Permission Recommendations:
Code:
0750 / 0755 Folders (OWNER = Owner Login : GROUP = nobody) /
Alternate if not able to set GROUP
0600 General PHP Scripts
0400 Configuration Scripts (IE: config.php) and / or
scripts that complain about being insecure or WRITABLE
0640 / 0644 General Files or Files that need WRITABLE access and this
includes all your standard HTML files, Stylesheets, Images, Media Files, Etc.
*** These would be the ones the script authors tell you incorrectly to do 0777 ***
750 / 755 Perl / CGI Scripts