Jump to content

If I may be permitted - Permissions !


ajoo
Go to solution Solved by Jacques1,

Recommended Posts

Hi all !

 

What are the best permissions, on a VPS, that should be set on files and folders that contains :

 

1. php scripts, library or included or required files containing php code. ?

 

2. a folder that only contains uploaded images by the users remotely. ( Like a picture of a user on filling a form ) ?

 

I would be grateful with suggestion  and the reasoning for the same as well as who would need to own those permission. I have read quite a bit about the permissions but together with this ownership business it kind of confuses me utterly.  :confused:

 

Thanks 

Edited by ajoo
Link to comment
Share on other sites

  • Solution

First, every directory and file of the application should be owned by an administrative user (like the one you use to SSH into the machine), not the webserver. The group should be the group of the webserver (usually www or www-data).

 

Appropriate permissions for read-only directories are: read+write+execute for the user, execute for group, none for the world. This means the administrative user can do anything, the group (i. e. the webserver) can only enter the directory, everybody else has no permissions at all.

 

For writable directories: read+write+execute for the user, write+execute (and possible read) for the group, none for the world.

 

The minimal permission required to use a directory is “execute”. “Read” means that the files in the directory can be listed (which is usually not necessary and may be dangerous). And “write” allows creation of new files.

  • Like 1
Link to comment
Share on other sites

Hi Guru Jacques  :) ,

 

Thanks for the reply. 

 

If I read you correct then for the 1st part of my question i.e. 

1. php scripts, library or included or required files containing php code. ?

you suggest that the folder permissions should be 710.  

 

and for the 2nd part, i.e. 

2. a folder that only contains uploaded images by the users remotely. ( Like a picture of a user on filling a form ) ?

they should be either 770 or 750. ( 770 because the web-server also has to read them to display them ?)

 

Kindly confirm that my deduction is correct. Also please shed some light on what should be the permissions for the files in these folders.

 

Also, Guru Jacques, your answer implies that if I am logged in the machine as user master, and www-data is the web-server user and group, then the owner : group relationship for all the files should be  master : www-data.  Right ?

 

If this is indeed what you meant, then I would like to ask that for a folder outside the root holding scripts and libs, which are to be accessed only by the php, and that too as read only, would the assignment www-data : www-data be more secure and should it be used?

 

I read that for such a folder, the owner and group should be both assigned to the web-server (php) which is what I guess this (www-data : www-data) assignment is. If so, another question that arises is that, if these files need to be modified at a later time by the user master, then will the permissions have to be re defined to give the ownership back to the user master before they can be edited/modified?  

 

Is my understanding of all this correct ?

 

Thanks loads !

Edited by ajoo
Link to comment
Share on other sites

Like I said: The webserver must not own any application directory or file, neither inside nor outside of the document root. If somebody told you otherwise, they're wrong.

 

The owner can effectively do anything: They can give themselves all permissions and then read, manipulate or delete their files and directories. When you give that power to the webserver, you also give it to any attacker who manages to find the right vulnerability in your application.

 

This is not just a theoretical risk. You'll find many threads in this forum (mostly Wordpress-related) where scripts have been infected with malware due to an application vulnerability and write permissions.

 

The owner must always be a separate administrative account.

 

 

 

770 because the web-server also has to read them to display them ?

 

No. As explained above, read permissions on a directory means that the directory content can be listed. This is necessary if, for example, you want to iterate over all files in the upload directory.

 

If you don't need that, don't use it.

 

 

 

[...] the owner : group relationship for all the files should be  master : www-data.  Right ?

 

Yes.

  • Like 1
Link to comment
Share on other sites

Thanks Guru jacques !

 

 

 

If somebody told you otherwise, they're wrong.

 

I was actually referring to this article here under Method 2: but I may have misunderstood what the author is saying. Maybe what he is saying is correct and my understanding of it is wrong.

 

You did not say anything about the 710 permission on the php scripts and such folder outside the root and so I take it that it is correct. 

 

That almost clears it. If you could also say something about the file permissions in these folders, that would be really nice.

 

Thanks again ! 

Edited by ajoo
Link to comment
Share on other sites

Maybe what he is saying is correct and my understanding of it is wrong.

 

No, the article is simply bad advice.

 

 

 

You did not say anything about the 710 permission on the php scripts and such folder outside the root and so I take it that it is correct.

 

Yes.

 

 

 

That almost clears it. If you could also say something about the file permissions in these folders, that would be really nice.

 

Read-only files should have 0740 permissions, writable files 0760. Execute permissions are only relevant for binaries and shell scripts with a shebang line. A web application generally doesn't have that.

  • Like 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.