CAll Us: +1 888-999-8231 Submit Ticket

Getting Started With File Permissions

Getting started with file permissionsFile permissions are an important aspect to consider for any website. This is even more important in a shared hosting environment, since neighboring clients can potentially read or write to your files if the permissions are configured incorrectly.

Even just the ability to read files can expose sensitive information from site configuration files, such as the credentials necessary to access your database. The ability to write or alter your files could allow others to use your site to run malicious code, spread malware, or perform any other number of unwanted activities, including vandalizing your site.

 

Why Are File Permissions Important?

While file permissions are important in any hosting environment, this article will be dealing specifically with current Hostdedi hosting environments. If file permissions are new to you, ask your service provider about best practices pertaining to your specific environment before making any changes.

Before attempting to set or alter permissions, you should first understand how they are represented on a typical web server.

Permissions are granted to three categories: user, group, and other. The user is the user on the system that owns the file. On Hostdedi systems, the group owner will typically be the user. On other hosts, you may have shared groups set up for the web server, FTP processes, and so on. In this context, “other” means absolutely any user having access to the system, including the group and owner.

 

What File Permissions Are There?

Each of the above categories can be granted three standard permissions: read, write, and execute.

The read permission allows a user to see the contents of the file. The write permission allows users to alter the contents of a file. The execute permission gives a user the ability to run a file if the file type is executable on the system, or can be run within a directory. This would not typically grant any special abilities on a normal image file.

The read, write, and execute permissions are typically represented in two forms. One form is the letters r (read), w (write), x (execute).

 

Octal Form File Permissions

The other form is known as an octal form, where 4 represents read, 2 represents write, and 1 represents execute.  

If more than one permission is being granted, the numbers are added together, with the numbers shown in the order, user–group–other. For example, permissions of 700 would mean the file owner (user) has read, write, and execute permissions, but the group and everyone else has no permissions. If the permissions were set to 600, the file owner would have read and write privileges (4+2), with all others having no permissions. 777 grants read, write, and execute access to all users.

One special, helpful permission, is the setgid permission. Using this on a directory will cause any file created in the directory to inherit the same group as the parent directory. There are other special permissions, as well as access control lists that can be applied to files and folders beyond the user, group, and other categories, but they are outside the scope of this article.  

 

Hostdedi File Permission Defaults

Current Hostdedi systems run the Apache web server as a separate user, so directories typically need “other” execute permission. This allows Apache to operate on the contents of the directories.

Apache needs read access for any .htaccess files used by your site, and read access to static files like CSS, JS, and image files. These permissions allow Apache to read and transmit files to the end client requesting them. All PHP files will be executed by your system user using PHP-FPM, and should typically only have permissions granted to the user.

Since PHP processes and application run as your user on the system, these files typically only need to be accessible by your user.

To summarize general permission settings for securing a web application:

  • Directories should be 711, which allow your user full access and allow the web service access to the directories to read static files.
  • PHP files and application configuration files should have permissions of 600, which allows only your user access.
  • Image files and static site assets such as CSS, JS, font files, and so on need permissions of 644, which allows Apache to serve these as expected without receiving a 403 or forbidden response.

 

Checking File Permissions

Two easy ways to check file permissions are with the stat and ll commands.

Issuing the stat command on a file does show much more information that simply the permissions, but on the first line that starts with Access: will show the permissions in both numerical and alphabetic forms. The stat below shows the permissions as 0660 or -rw-rw—- . Which would be user and group having read and write access but all others having not access.

 

  $ stat file.xyz 
  File: `file.xyz'
  Size: 0          Blocks: 0          IO Block: 4096 regular empty file
  Device: 807h/2055d Inode: 524917      Links: 1
  Access: (0660/-rw-rw----)  Uid: (1337/uzer) Gid: (1337/uzer)
  Access: 2018-07-19 15:01:42.000000000 -0400
  Modify: 2017-04-04 08:36:53.000000000 -0400
  Change: 2018-07-19 15:01:42.891553118 -0400



Using the ll command you will only receive the alphabetic form of the permissions, output from the same file above looks like the content below when using ll.

 

  ll file.xyz 
  -rw-rw---- 1 uzer uzer 0 Apr  4 2017 file.xyz

 

Setting File Permissions

The chmod command is used to change permissions, it accepts the permissions in several formats. Below we are changing the permissions to 600 for the file.xyz file.

 

  chmod 600 file.xyz

 

To express this in the non numeric way, we would use the command below. This would set it so the user has read and write access.

 

  chmod u+rw file.xyz

 

To add permissions so a user group can have read and write access, you would use the following syntax.

 

  chmod ug+rw file.xyz

 

Bulk File Permission Changes With the Chmod Command

Changing the permissions on a large number of files at once can be done by using the -r or recursive flag with the chmod command. You can also use the find command, in conjunction with the chmod command, to select certain files or file types and adjust their permissions.

An easy way to help secure file permissions across your site is to run the following commands from your web application root directory.

First we set all directory permissions to 711.

 

  find . -type d -exec chmod 711 {} ;

 

You may want to use the setgid on the directories, this would be set on all directories with the following command.

 

  find . -type d -exec chmod 2711 {} ;

 

Then we set all file permissions to 644 so your user has read and write access and your group and others have read access. This will allow Apache to access and serve static site files.

 

  find . -type f -exec chmod 644 {} ;

 

We would then want to go through and tighten security on all PHP files so only your user has access to them.

 

  find . -type f -name “*.php” -exec chmod 600 {} ;

 

After doing the above, you would want to manually change the permissions with chmod on any sensitive site files without the .php extension to 600. For something like Magento 1.X with a local.xml configuration file, the command would be the following, run from your web application root:

 

  chmod 600 app/etc/local.xml 

 

Application Specific Configuration Files

Below are some notable application-specific configuration files that should use 600 permissions exclusively. For additional security, some of the below applications also recommend moving directories containing configuration files outside of the website’s document root. If your application has been modified, some of these files may be in a different location, or there may be additional sensitive configuration files. When in doubt, contact your web host or development team.  

Magento 1.X

app/etc/local.xml

Magento 2.x

app/etc/env.php

WordPress

wp-config.php

Drupal

sites/default/settings.php

ExpressionEngine

system/expressionengine/config/config.php

Craft

craft/config/db.php

Posted in:
Linux, Security

Source link