Need file permissions explained

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Need file permissions explained

Post by alex.barylski »

I've used CHMOD numerous times obviously and I think I understand it from a user perspective on a *nix system...I've read enough articles on it :?

The one thing that always got me though, was how those rights apply to a script executing under the guidance of Apache, etc...

Especially under that of a Shared host server...

Are people visiting the website considered "other"? They surely can't be Owner...

Can someone explain how these work...not nessecarily in laymen terms, cuz I do have some knowledge of how they work, just can't figure out how I would use them in a shared host environment...?? Or on a web server...

Cheers :)

EDIT Another question I had...not all numbers are actual permissions correct? I just tried entering the permission 699 and then did then math...and it didn't make sense?? I am correct in thinking this???
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Jcart wrote:http://www.onlamp.com/pub/a/php/2003/02 ... tions.html

Addresses all your concerns
Cool thanks...I'll read that :)
User avatar
trukfixer
Forum Contributor
Posts: 174
Joined: Fri May 21, 2004 3:14 pm
Location: Miami, Florida, USA

Post by trukfixer »

CHMOD ogw+x

o = Owner
g = Group
w = World

in a directory listing you might see

drwxr-xr-x that means its a directory, and then sets of three permission bits , so
d = directory rwx = Owner has read,write,execute permissions, r-x = Group has read and execute permissions, and r-x = World has read and execute permissions

The above drwxr-xr-x would be equivalent to chmod 755 on a directory

-rw-r--r-- - thiss indicates a file, with chmod 644 permissions

people visiting the website havd the "UID of apache (typically "nobody" or "www-data" with a UID and/or GID of 99, or 33 , often ) so basically - any visitor to teh website via http or https is running the script under "www-data" or "nobody" permissions

Since a usual file will be chown user.group then *unless* the file is owned by apache's user or group id, apache's permissions are "World" or "Other" , so every web visitor, in essence is user "Apache" (and typically group Apache , but it can be modified by root sysadmin)

regardless of whether the webserver is Apache or Zeus or IIs or Caudium or AOLServer or any other webserver in use, *typically* (not necessarily always) your web visitors are connecting to the webserver as the Apache user/group
, so unless you specifically *CHOWN* a file to be owned by apache user (or group), only the last 3 bits of teh permissions will apply

does that make more sense?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

trukfixer wrote:CHMOD ogw+x

o = Owner
g = Group
w = World

in a directory listing you might see

drwxr-xr-x that means its a directory, and then sets of three permission bits , so
d = directory rwx = Owner has read,write,execute permissions, r-x = Group has read and execute permissions, and r-x = World has read and execute permissions

The above drwxr-xr-x would be equivalent to chmod 755 on a directory

-rw-r--r-- - thiss indicates a file, with chmod 644 permissions

people visiting the website havd the "UID of apache (typically "nobody" or "www-data" with a UID and/or GID of 99, or 33 , often ) so basically - any visitor to teh website via http or https is running the script under "www-data" or "nobody" permissions

Since a usual file will be chown user.group then *unless* the file is owned by apache's user or group id, apache's permissions are "World" or "Other" , so every web visitor, in essence is user "Apache" (and typically group Apache , but it can be modified by root sysadmin)

regardless of whether the webserver is Apache or Zeus or IIs or Caudium or AOLServer or any other webserver in use, *typically* (not necessarily always) your web visitors are connecting to the webserver as the Apache user/group
, so unless you specifically *CHOWN* a file to be owned by apache user (or group), only the last 3 bits of teh permissions will apply

does that make more sense?
What I'm wondering is...in regards to security...

How can I user/visitor be prevented from reading/writing/executing

What happens if you request a file via HTTP which has it's group (likely a users settings) = --x does this mean they can execute the script, but cannot read the contents or change them? I dunno how they'd do that...but still.. :)

if a file has it's OTHER permissions set to nothing...this means...that file cannot be accessed or executed at all...via HTTP, but my scripts can still access them, correct?

So a configuration file...for instance...might have it's OTHER RWX cleared, but the Public/Owner bits are all set that means....my scripts can still read/write/execute that file internally, correct???
User avatar
trukfixer
Forum Contributor
Posts: 174
Joined: Fri May 21, 2004 3:14 pm
Location: Miami, Florida, USA

Post by trukfixer »

Sorta, Kinda- better way to explain it - http://www.phplogix.com/test/ - you can see for yourself

notice only the chmod 644 file really works, the file_get_contents fails , as does the include() for the other two, so setting a "world" or "other" permissions to 0 or --- will result in unreadable, un-includable files

However, for php, you only need a file to be readable by the "other" in order to get it working - see what happens with the chmod 004 file :)
Post Reply