|Implications of file permissions|
Security and functionality
I find I'm at a total loss to understand what file permissions I should use for my scripts. I understand what 755, 644, etc. mean, and I understand the general purpose of having file permissions. What I don't understand is why I should choose one set of permissions for one file, and another set of permissions for a different file.
(At this point I should mention that I'm talking about a shared webhosting environment, not a Linux workstation, dedicated server, or anything like that where I have control over what users are on the box.)
As far as I see it, there are a few different "types" of files I could use on my website:
- Scripts that read files on the server
- Scripts that write files on the server
- Scripts that access a database on the server
- Scripts that just execute, and don't need to read, write, or access a database
- Static files (such as images or CSS) that only need to be read, either by scripts on the server or by site visitors
Obviously some scripts would fit two or more of those categories, but besides that, am I missing anything in the list above?
Assuming I'm right in my categorization of files, what file permissions should I use on each type of file? And, what are the security and functionality implications of the several sets of permissions I could choose from?
Finally, I just heard today that sometimes scripts that give permission errors need to be chown'd to 'nobody.' When might this occur, and are there better ways to eliminate permission errors?
I realize this may be a big topic, but I've searched and searched and can't find a tutorial that answers these questions. So a little guidance in this area would be warmly appreciated.
first a quick review:
the 3 digits are for owner/group/user file permissions.
3 permission bits per digit for execute/write/read.
each user belongs to a group.
what is important to consider here is that the server is considered a user which must have sufficient permission to access the script, which process then inherits the server's environment.
the permissions on files which must be read by the server should also provide read access to the server and/or the server's group.
the permissions on directories in which the server writes files must provide write access to the server and/or the server's group.
the database access issue is usually not related to file permissions since the web server accesses database files typically through a db server.
static files such as images and css are still accessed by the server and therefore must allow read access for the server and/or the server's group.
that is a very general overview of the file permissions mechanism.
you didn't mention which web server but if it's apache you can read more here:
there are also apache directives which you can use to protect files and directories.
or if you have something more specific...