Why are 644 and 755 unix permissions ideal for files/directories in public folders?

I guess I'll chime in here and clear up some of the confusion ...

To answer dakman's larger question about making folders readable to everyone even under SuPHP environments, this has to do primary with the simple fact that not everything is accessed as OWNER under SuPHP. Direct accessed HTML files, image files, css stylesheets and other related files are still accessed under the Apache process (user "nobody") exactly the same as Apache Module (DSO) based systems so user "nobody" still needs access EVEN WHEN USING SUPHP.

The primary difference is when you are talking about PHP scripts themselves and files those scripts access directly from within those same scripts as those are all accessed as OWNER under SuPHP or phpSuExec.

Now while it is necessary to still allow user "nobody" at least read and folder listing access even under SuPHP, this need not necessarily be done via the EVERYONE permission field but rather could be done just as easily using the GROUP permission field if you set the GROUP on those files and folders to "nobody" which would allow you to use "0750" for folders instead of "0755" and for files "0640" instead of "0644".

For those who don't understand permissions fully, I'll take a quick moment to give everyone a quick crash course and then some of this conversation may make a lot more sense.

Permissions have numerical values ....

Code:

1 = Executable (run as script) [FILES]  /  
    Directory List  [FOLDERS]
2 = Writable Access
4 = Readable Access

Permission numbers are created by simply adding the permissions together that you want to grant. In example, to give ALL permissions, you would use a 7 (1 + 2 + 4) to grant EXECUTABLE / WRITEABLE / and READABLE access to a given file.

Ah, but there is "3" digits with permissions you ask?

Actually the permission setting is only one single digit but when you setup permissions on a file or folder you give a "3" digit number symbolizing the permissions for the OWNER of the file or folder, the GROUP of the file or folder, and then finally the permissions for EVERYONE else in the world.

Thus, given the permission "640" on a file --

The OWNER of the file has READ and WRITE access (6 = 4 + 2) ...

The GROUP members have READ access only (4 = 4) ...

EVERYONE else has no access whatsoever (0 = 0 ) ...

Under SuPHP and phpSuExec, the relative permission bit for PHP scripts and the files those scripts access or call is the OWNER field.

Under systems with PHP based on DSO (Apache Module), all scripts run as the common user "nobody" so access needs to be granted to the EVERYONE field UNLESS the the user nobody is a member of the file or folder's GROUP and then the relative field would in that case actually be the GROUP instead of EVERYONE which is a bit more secure than globally allowing everyone access.

It should be obvious from the conversation above but granting permissions to the EVERYONE field literally means everyone that has an account on the server has those permissions which is why it is extremely dangerous to set WRITABLE access to the EVERYONE field and even more dangerous setting the EXECUTABLE bit on that same field!

NEVER SET '777' ON ANY FILE OR FOLDER NO MATTER WHAT TYPE OF PHP SYSTEM YOUR SERVER USES!

For lack of a better word, I would say that many script authors are "morons" where it comes to permission recommendations but if you understand what the permissions really do and what they mean, you can easily make more intelligent decisions regarding file and folder permissions.

Hope this helps ....

PS: In case anyone doesn't know, the "EXECUTABLE" bit need not be set on PHP scripts (unless running directly as a shell script in SSH) and many don't realize this but under SuPHP (where the OWNER bit is relative), you can set PHP scripts as tightly as 0400 and they would work fine though 0640 is most common.

SuPHP File Permission Recommendations:

Code:

0750 / 0755  Folders  (OWNER = Owner Login : GROUP = nobody) /
      Alternate if not able to set GROUP

0600   General PHP Scripts

0400   Configuration Scripts (IE: config.php)  and / or 
          scripts that complain about being insecure or WRITABLE

0640  / 0644    General Files or Files that need WRITABLE access and this 
      includes all your standard HTML files, Stylesheets, Images, Media Files, Etc.

      ***  These would be the ones the script authors tell you incorrectly to do 0777 ***

750  /  755    Perl / CGI Scripts

 

excuse my late joining and ignorance.

where can i check/set/force the default permissions for a file on saving

eg a file previously set at 644 gets edited via cpanel on line file manager or via a script and on closing/saving suddenly gets a new permission of 444

obviously it should stay the same as when it was opened.
I have cpanel/whm installed and root access.

thanks

 

I am also at the beginning stages of setting up one of my VPS's to use SuPHP, and wondered if the following SSH commands will help ensure correct file permissions as I'm migrating many accounts from a VPS that had PHP as cgi:

find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;
Found these here:
http://forums.cpanel.net/f5/suphp-questions-77673.html

I have also run /scripts/chownpublichtmls
But now I have a few websites that when accessed they bring up a file download option instead of the website

Any help appreciated.

- Vincent

 

ADDENDUM: Since you mentioned "a few sites", you may want to take a look at the .htaccess files in those sites and see if they are attempting to modify the PHP file type or handlers as this too can break the PHP parsing.

 

I used to be able to upload my scripts by ftp and my folder would get 755 and php files would get 755 so that they would run in a browser.

Now my files in the folders get set to 644 which means I have to go in an change permissions manually on hundreds of files to make them visible.

I am on a dedicated server and cant seem to locate where I would make any setting changes.

Where do I start?

Any assistance would be greatly appreciated.

Richard Wing