Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Help With Chmod File Permissions

  1. #1
    Junior Member
    Join Date
    Nov 2004
    Posts
    11

    Question Help With Chmod File Permissions

    Hi everyone,

    I was wondering if you guys could point me in the right direction concerning chmod file permissions (755, 777, etc.).

    I have a site hosted on an apache linux server, and was wondering which file permissions I should assign my files and directories? Can you recommend how to lock down my files and directories while still giving my visitors read access?

    My site is very simple and only contains a few basic javascript based scripts, like a hit counter and a few rollovers.

    Thanks!

  2. #2
    Senior Member
    Join Date
    Jan 2005
    Posts
    128
    chmod permissions 755 etc etc are based on counting

    read = 1
    write = 2
    execute = 4

    want the user to have Read Write Execute, 1 + 2 + 4 = 7
    want the group to have Read (NO)Write Execute, 1 + 0 + 4 = 5
    want everyone else to have (NO)Read (NO)Write (NO)Execute, 0 + 0 + 0 = 0

    == 7 5 0

    chmod 750 <file/dir>

    other examples

    want the user to have Read Write (NO)Execute, 1 + 2 + 0 = 3
    want the group to have Read (NO)Write (NO)Execute, 1 + 0 + 0 = 1
    want everyone else to have Read Write Execute, 1 + 2 + 4 = 7

    == 3 1 7

    chmod 317 <file/dir>

    As being specific to Apache, on a production server, i couldnt say but

    http://sfx-images.mozilla.org/affili...88x31/take.gif
    If You\'ve Done Something Right. People Wont Know You\'ve Done Anything At All - God (futurama)

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Posts
    135
    Here's the first listing from a google search:
    http://www.hostingmanual.net/other/permissions.shtml

    Basically, it's like this:
    Each file and directory has permissions for three entities: the person who created the file (owner), the group to which the owner belongs, and everyone else (others). Each of these entities can be assigned the ability to
    1. read the file and list the contents of the directory
    2. write/change the file or directory
    3. Execute the file (if it's exectutable) or list info on a directory.

    Each of these abilities can be assigned a letter (r/w/x) or a number (4=read, 2=write, 1=execute) When listing the permissions of a file/directory, the system will return the abilities (via letters) for the owner-group-others. So if the owner can do anything, his group can read and write, and everyone else can only read, you would have:
    -rwxrw-r--

    In number style:
    0764

    The first number refers to the "sticky bit" that you don't need to concern yourself with just yet (and don't have to include in the following commands). The leading hyphen just means it's a file (a 'd' would signify a directory)

    To change these settings, use
    Code:
    chmod [u|g|o|a][+|-][r|w|x] fileordirectoryname
    Where the things inside [ ]'s are required, and things separated by |'s are options. You can also use numbers. Examples:

    chmod u+rx index.html or chmod 500 index.html
    (Would give the user, aka owner, read and execute perms but deny everyone else everything)

    chmod go+rw index.html or chmod 055 index.html
    (Would give the owner's group and all others read and write perms)

    Lastly, most files are automatically assigned a standard set of perms when created. This is because of something called the umask. The usual umask gives perms to files of 644 and directories get 755. Always give an entity directory permissions of read and execute or neither (they kind of go hand-in-hand) Write can be assigned on its own.

    For your javascript, I would assume you need to give people only read permissios, since it's a client-side scripting language. Try that (for security reasons) unless someone on here tells you otherwise, and if it doesn't work, you might need to give it executable perms.

  4. #4
    Junior Member
    Join Date
    Nov 2004
    Posts
    11
    Wow, thank you for such a clear explaination guys.

    So, in reality, I could set all of my files and directories to 701 which would only give the owner (me) full permission?

    And then to prevent the public from viewing the contents of a directory since each directory still has read rights, I could modify my .htaccess file by adding something like this?:

    Code:
    <Directory />
    Options None
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>
    <Files ~ "^/.ht">
        Order allow,deny
        Deny from all
    </Files>
    I think I understand now.

    Thanks!

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    135
    Well, not completely...you need to remember that when you send a request for a web page, it is handled by the server--and it is the server that will need to be able to read/execute the document so it can send it back to you. Most (if not all) apache setups are run with the user "nobody" and under the group "nogroup". Thus, if you own the files, then the user nobody becomes an other.

    I'm not sure how your hosting provider handles all this. Unless your provider makes you part of nogroup, you could have some problems down the line if you rely soley on file permissions to allow access, unless you can change file ownership as well as permissions. Thus, I would advise that you either employ some other access control over files you don't want every one to see (password authentication, allow by ip) or just not upload them in the first place.

  6. #6
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    Apache will display Web page files as long as they are world readable. You have to make sure you make all the files and subdirectories in your DocumentRoot have the correct permissions.

    It is a good idea to have the files owned by a nonprivileged user so that Web developers can update the files using FTP or SCP without requiring the root password.

    To do this:



    1. Create a user with a home directory of /home/www.

    2. Recursively change the file ownership permissions of the /home/www directory and all its subdirectories.

    3. Change the permissions on the /home/www directory to 755, which allows all users, including the Apache's httpd daemon, to read the files inside.
    http://www.siliconvalleyccie.com/lin...pachebasic.htm
    I came in to the world with nothing. I still have most of it.

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Change the permissions on the /home/www directory to 755, which allows all users, including the Apache's httpd daemon, to read the files inside.
    I personally think this is bad advice. If Groups don't need to see this, don't allow it (most restrictive/least permission policy should be what's used).

    Directories should be 701 (execute allows anonymous users into the directory to access files without seeing inside)

    Files, unless server side executables, should be 704.

    Information leakage is often the reason why many websites are compromised and/or defaced.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    Originally posted here by Double//Cut
    chmod permissions 755 etc etc are based on counting

    read = 1
    write = 2
    execute = 4

    want the user to have Read Write Execute, 1 + 2 + 4 = 7
    want the group to have Read (NO)Write Execute, 1 + 0 + 4 = 5
    want everyone else to have (NO)Read (NO)Write (NO)Execute, 0 + 0 + 0 = 0

    == 7 5 0

    chmod 750 <file/dir>

    other examples

    want the user to have Read Write (NO)Execute, 1 + 2 + 0 = 3
    want the group to have Read (NO)Write (NO)Execute, 1 + 0 + 0 = 1
    want everyone else to have Read Write Execute, 1 + 2 + 4 = 7

    == 3 1 7

    chmod 317 <file/dir>

    As being specific to Apache, on a production server, i couldnt say but
    while doublecut has most of the explination correct, there is an error

    read = 4
    write = 2
    execute = 1

    source: http://en.wikipedia.org/wiki/Chmod

    other than that, everything is sound
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  9. #9
    Junior Member
    Join Date
    Nov 2004
    Posts
    11
    I see, so it's really:

    read=4
    write=2
    execute=1

    So, as MsMittens mentioned, directories should be set at 701, and files set at 704? Also, for some reason there's no option that allows me to change the permissions for the root directory itself, only the files conatined within? I have all of my files in the root directory (no subdirectories), which I'm not sure is a recommended security practice? Should I have subdirectories, or does it matter?

    I would like to give the group no rights, but I'm not sure if that would cause any problems (as KeyserSoze mentioned). I guess I should ask my host about this.

    I have a limited amount of control. I'm using DirectAdmin Control Panel, so I can only change file/directory permissions, password protect directories and add .htaccess files for extra control.

    Mind you, I don't have sensitive documents hosted on the server, just html and image files.

    I'm also confused about the differences between read and execute. I know that write allows a user to modify or add a file/directory, but what about read and execute?

    When a user visits my site and reads a simple html document, isn't the user already executing it? Or does execute only apply to scripts and programs?

    What permissions and other steps should I take in order to really lock down my site? I just want people who visit my site to have the bare minimums, like accessing and reading simple html documents.

    Thank you all for your help. I really appreciate it.

  10. #10
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    The person browsing the web site isn't a logged on user on the server,
    and has no actual access rights to read write or execute the files on that
    system. His web browser requests a document, and the web server software
    is configured to send him a copy of it.

    The important distinction is whether the files are readable by apache, so it can serve
    them to browsers. Once that is done, the user reads his own copy of the document,
    on his own browser. He doesn't care if the file was executable or whatever, because
    once he has a copy, that copy is his. He can't execute the file on the server,
    so there's no reason for it to be executable, I don't think.

    CGI scripts obey a whole different set of rules, but that's probably not what you
    were asking about.
    I came in to the world with nothing. I still have most of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •