Jump to content


Photo

If I may be permitted - Permissions !

permissions

Best Answer Jacques1, 28 February 2017 - 05:09 AM

First, every directory and file of the application should be owned by an administrative user (like the one you use to SSH into the machine), not the webserver. The group should be the group of the webserver (usually www or www-data).

 

Appropriate permissions for read-only directories are: read+write+execute for the user, execute for group, none for the world. This means the administrative user can do anything, the group (i. e. the webserver) can only enter the directory, everybody else has no permissions at all.

 

For writable directories: read+write+execute for the user, write+execute (and possible read) for the group, none for the world.

 

The minimal permission required to use a directory is “execute”. “Read” means that the files in the directory can be listed (which is usually not necessary and may be dangerous). And “write” allows creation of new files.

Go to the full post


  • Please log in to reply
6 replies to this topic

#1 ajoo

ajoo
  • Members
  • PipPipPip
  • Advanced Member
  • 529 posts

Posted 28 February 2017 - 04:42 AM

Hi all !

 

What are the best permissions, on a VPS, that should be set on files and folders that contains :

 

1. php scripts, library or included or required files containing php code. ?

 

2. a folder that only contains uploaded images by the users remotely. ( Like a picture of a user on filling a form ) ?

 

I would be grateful with suggestion  and the reasoning for the same as well as who would need to own those permission. I have read quite a bit about the permissions but together with this ownership business it kind of confuses me utterly.  :confused:

 

Thanks 


Edited by ajoo, 28 February 2017 - 04:44 AM.


#2 Jacques1

Jacques1
  • Gurus
  • Turtles all the way down
  • 3,835 posts

Posted 28 February 2017 - 05:09 AM   Best Answer

First, every directory and file of the application should be owned by an administrative user (like the one you use to SSH into the machine), not the webserver. The group should be the group of the webserver (usually www or www-data).

 

Appropriate permissions for read-only directories are: read+write+execute for the user, execute for group, none for the world. This means the administrative user can do anything, the group (i. e. the webserver) can only enter the directory, everybody else has no permissions at all.

 

For writable directories: read+write+execute for the user, write+execute (and possible read) for the group, none for the world.

 

The minimal permission required to use a directory is “execute”. “Read” means that the files in the directory can be listed (which is usually not necessary and may be dangerous). And “write” allows creation of new files.



#3 ajoo

ajoo
  • Members
  • PipPipPip
  • Advanced Member
  • 529 posts

Posted 28 February 2017 - 11:07 AM

Hi Guru Jacques  :) ,

 

Thanks for the reply. 

 

If I read you correct then for the 1st part of my question i.e. 

1. php scripts, library or included or required files containing php code. ?

you suggest that the folder permissions should be 710.  

 

and for the 2nd part, i.e. 

2. a folder that only contains uploaded images by the users remotely. ( Like a picture of a user on filling a form ) ?

they should be either 770 or 750. ( 770 because the web-server also has to read them to display them ?)

 

Kindly confirm that my deduction is correct. Also please shed some light on what should be the permissions for the files in these folders.

 

Also, Guru Jacques, your answer implies that if I am logged in the machine as user master, and www-data is the web-server user and group, then the owner : group relationship for all the files should be  master : www-data.  Right ?

 

If this is indeed what you meant, then I would like to ask that for a folder outside the root holding scripts and libs, which are to be accessed only by the php, and that too as read only, would the assignment www-data : www-data be more secure and should it be used?

 

I read that for such a folder, the owner and group should be both assigned to the web-server (php) which is what I guess this (www-data : www-data) assignment is. If so, another question that arises is that, if these files need to be modified at a later time by the user master, then will the permissions have to be re defined to give the ownership back to the user master before they can be edited/modified?  

 

Is my understanding of all this correct ?

 

Thanks loads !


Edited by ajoo, 28 February 2017 - 11:12 AM.


#4 Jacques1

Jacques1
  • Gurus
  • Turtles all the way down
  • 3,835 posts

Posted 28 February 2017 - 12:09 PM

Like I said: The webserver must not own any application directory or file, neither inside nor outside of the document root. If somebody told you otherwise, they're wrong.

 

The owner can effectively do anything: They can give themselves all permissions and then read, manipulate or delete their files and directories. When you give that power to the webserver, you also give it to any attacker who manages to find the right vulnerability in your application.

 

This is not just a theoretical risk. You'll find many threads in this forum (mostly Wordpress-related) where scripts have been infected with malware due to an application vulnerability and write permissions.

 

The owner must always be a separate administrative account.

 

 

 

770 because the web-server also has to read them to display them ?

 

No. As explained above, read permissions on a directory means that the directory content can be listed. This is necessary if, for example, you want to iterate over all files in the upload directory.

 

If you don't need that, don't use it.

 

 

 

[...] the owner : group relationship for all the files should be  master : www-data.  Right ?

 

Yes.



#5 ajoo

ajoo
  • Members
  • PipPipPip
  • Advanced Member
  • 529 posts

Posted 28 February 2017 - 12:44 PM

Thanks Guru jacques !

 

 

 

If somebody told you otherwise, they're wrong.

 

I was actually referring to this article here under Method 2: but I may have misunderstood what the author is saying. Maybe what he is saying is correct and my understanding of it is wrong.

 

You did not say anything about the 710 permission on the php scripts and such folder outside the root and so I take it that it is correct. 

 

That almost clears it. If you could also say something about the file permissions in these folders, that would be really nice.

 

Thanks again ! 


Edited by ajoo, 28 February 2017 - 12:45 PM.


#6 Jacques1

Jacques1
  • Gurus
  • Turtles all the way down
  • 3,835 posts

Posted 28 February 2017 - 01:48 PM

Maybe what he is saying is correct and my understanding of it is wrong.

 

No, the article is simply bad advice.

 

 

 

You did not say anything about the 710 permission on the php scripts and such folder outside the root and so I take it that it is correct.

 

Yes.

 

 

 

That almost clears it. If you could also say something about the file permissions in these folders, that would be really nice.

 

Read-only files should have 0740 permissions, writable files 0760. Execute permissions are only relevant for binaries and shell scripts with a shebang line. A web application generally doesn't have that.



#7 ajoo

ajoo
  • Members
  • PipPipPip
  • Advanced Member
  • 529 posts

Posted 28 February 2017 - 03:36 PM

In the absence of an expert opinion, even wrong advise looks great to an amateur. :unsure:  

 

Glad that you are there ! :)

 

Thanks loads for all the clarifications !!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users