a lot depends on who has what access to the server and then the ownership of nodes is important before you can decide what the file modes should be.

Well, I am the owner of all the files and my site is publicly accessible. I have full right access to all files/directories, I have put in place a hyperlinking prevention mechanism for all images and media, I have made all directories unviewable by the public (only viewable via FTP login or cpanel access), I just would like to have a idea setting for each type of file and directory to prevent things from happening which might circumvent abuse in the future.

I want the user to be able to read my files, but not write, not sure if they need execute privs though? On my directories the execute priv is on, so should I turn that off and if so will it prevent users from doing certain things which will take away usage of the site?

For instance how do you or anyone else have their settings set? And why?

Thanks

James

First rule of server security:
Source files like PHP, JS, HTML, JPG, etc should all be owned by a user without root permission. The same for directories. The webserver must run as another user (also without root permission) who has only read access to these source files and directories.

With this setup, the webserver can't modify existing source files, and you don't need to log on as root to add or modify source files. (login on as root is always dangerous as the system doesn't protect you against accidently running desasterous commands)

The only exception is where you allow the webserver to add or update sourcefiles directly, for example with a picture upload site where the picture directory should be writable by the webserver.

*nix security cannot be learned without understanding the concepts behind the user/group system and the special rights of root. There are some books around for unix security and administration in general. Buy one of them and read it in a rainy weekend.

Unix file permissions have absolutely nothing to do with what access users of your website have to your files. They control the access of other users of the host computer your website is running on.

The "ideal" permissions, then, will depend on the circumstances of your hosting. Are you on a dedicated server? VPS? Shared? In the first two cases, nobody else has access anyway (unless you give it to them).

However, you should still be concerned about access by other programs - isolation is always good. For exmaple, you don't want your mail files accessible by your web server, or your web files accessible by your mail server. If one is somehow hacked, it won't have access to the other's files.

Most files should be 600 - readable and writable by owner - or 400 - readable by owner if you are really paranoid.

Directories have to have the execute bit set. (So, 700).

Executable programs obviously have to have the execute bit set, so 700 or 500.

Scripts (PHP, etc.) run by a web server generally aren't considered "executable". They only need read permission. I say "generally", though, because some Apache servers use the XBitHack, and then you use the execute bit to tell the web server that the file contains a script.

Thanks for the help. I think the first post was assuming that I was talking about running my own webserver? But, yeah I was talking about what Jtara was describing, so that is great. Your help is greatly appreciated.

I noticed that the ftp app. I use auto-set the CHMOD as you stated was ideal, so I guess that I am good to go as far as CHMOD is concerned. I suppose I could have winged it but I would have never known for sure if I was right or wrong until proven otherwise and I prefer not to learn the hard way if it isn't necessary, so many thanks to you guys for stepping up and shining some light on this for me. Should be a helpful post in the future for others as well.

Regards,

James