Page 1 of 1
Need file permissions explained
Posted: Sun Dec 04, 2005 1:02 pm
by alex.barylski
I've used CHMOD numerous times obviously and I think I understand it from a user perspective on a *nix system...I've read enough articles on it
The one thing that always got me though, was how those rights apply to a script executing under the guidance of Apache, etc...
Especially under that of a Shared host server...
Are people visiting the website considered "other"? They surely can't be Owner...
Can someone explain how these work...not nessecarily in laymen terms, cuz I do have some knowledge of how they work, just can't figure out how I would use them in a shared host environment...?? Or on a web server...
Cheers
EDIT Another question I had...not all numbers are actual permissions correct? I just tried entering the permission 699 and then did then math...and it didn't make sense?? I am correct in thinking this???
Posted: Sun Dec 04, 2005 1:18 pm
by John Cartwright
Posted: Sun Dec 04, 2005 1:23 pm
by alex.barylski
Cool thanks...I'll read that

Posted: Sun Dec 04, 2005 1:27 pm
by trukfixer
CHMOD ogw+x
o = Owner
g = Group
w = World
in a directory listing you might see
drwxr-xr-x that means its a directory, and then sets of three permission bits , so
d = directory rwx = Owner has read,write,execute permissions, r-x = Group has read and execute permissions, and r-x = World has read and execute permissions
The above drwxr-xr-x would be equivalent to chmod 755 on a directory
-rw-r--r-- - thiss indicates a file, with chmod 644 permissions
people visiting the website havd the "UID of apache (typically "nobody" or "www-data" with a UID and/or GID of 99, or 33 , often ) so basically - any visitor to teh website via http or https is running the script under "www-data" or "nobody" permissions
Since a usual file will be chown user.group then *unless* the file is owned by apache's user or group id, apache's permissions are "World" or "Other" , so every web visitor, in essence is user "Apache" (and typically group Apache , but it can be modified by root sysadmin)
regardless of whether the webserver is Apache or Zeus or IIs or Caudium or AOLServer or any other webserver in use, *typically* (not necessarily always) your web visitors are connecting to the webserver as the Apache user/group
, so unless you specifically *CHOWN* a file to be owned by apache user (or group), only the last 3 bits of teh permissions will apply
does that make more sense?
Posted: Sun Dec 04, 2005 2:24 pm
by alex.barylski
trukfixer wrote:CHMOD ogw+x
o = Owner
g = Group
w = World
in a directory listing you might see
drwxr-xr-x that means its a directory, and then sets of three permission bits , so
d = directory rwx = Owner has read,write,execute permissions, r-x = Group has read and execute permissions, and r-x = World has read and execute permissions
The above drwxr-xr-x would be equivalent to chmod 755 on a directory
-rw-r--r-- - thiss indicates a file, with chmod 644 permissions
people visiting the website havd the "UID of apache (typically "nobody" or "www-data" with a UID and/or GID of 99, or 33 , often ) so basically - any visitor to teh website via http or https is running the script under "www-data" or "nobody" permissions
Since a usual file will be chown user.group then *unless* the file is owned by apache's user or group id, apache's permissions are "World" or "Other" , so every web visitor, in essence is user "Apache" (and typically group Apache , but it can be modified by root sysadmin)
regardless of whether the webserver is Apache or Zeus or IIs or Caudium or AOLServer or any other webserver in use, *typically* (not necessarily always) your web visitors are connecting to the webserver as the Apache user/group
, so unless you specifically *CHOWN* a file to be owned by apache user (or group), only the last 3 bits of teh permissions will apply
does that make more sense?
What I'm wondering is...in regards to security...
How can I user/visitor be prevented from reading/writing/executing
What happens if you request a file via HTTP which has it's group (likely a users settings) = --x does this mean they can execute the script, but cannot read the contents or change them? I dunno how they'd do that...but still..
if a file has it's OTHER permissions set to nothing...this means...that file cannot be accessed or executed at all...via HTTP, but my scripts can still access them, correct?
So a configuration file...for instance...might have it's OTHER RWX cleared, but the Public/Owner bits are all set that means....my scripts can still read/write/execute that file internally, correct???
Posted: Sun Dec 04, 2005 7:37 pm
by trukfixer
Sorta, Kinda- better way to explain it -
http://www.phplogix.com/test/ - you can see for yourself
notice only the chmod 644 file really works, the file_get_contents fails , as does the include() for the other two, so setting a "world" or "other" permissions to 0 or --- will result in unreadable, un-includable files
However, for php, you only need a file to be readable by the "other" in order to get it working - see what happens with the chmod 004 file
