Close

Understanding File Permissions

755, 666, 777, What does it all mean?

Apache Web Server

I don’t know what it is about this subject but many people are completely baffled by unix permissions, like 777, 666 and 755 particularly if one is used to using a PC or Mac but don’t have any unix or linux background. So why is it important for us? Well the vast majority of web servers run on Linux boxes. These servers assign a specific set of permissions for each file and folder based on it’s creator. The problem is that sometimes default permissions on many hosts may cause your websites, plugins and extensions to break because the web server cannot write to the appropriate location.

So say you have a great new Joomla website but want to install the latest / greatest extension. You go to the extension manager and upload the archive only to get the dreaded “Failed to move file” error. Argh! Permissions have scuppered the installation. One way to fix this is to change the permissions of the relevant folder and files to 777. Easy to do in your FTP client (if the FTP user is the owner), but hang on a second, surely there’s some catch.

Well there is. Changing permissions may be easy but these permissions have been set for a reason. Namely security. As soon as you open the permissions of any files or folders on your website you are creating a security hole that may be potentially be exploited by a malicious attack. The advice in this circumstance is always the same. Don’t do it, find another way to install that extension. It is far more worthwhile to put up with inconvenience rather than trying to clean a hacked website.

Understanding Users, Groups and Ownership

To understand unix/linux permissions one needs to understand a few other concepts. Nix systems support multiple “Users“, Users can be placed in “Groups” and can belong to more than one group. The file system is made up of File and Directories, each of which are “Owned” by a user and a group (yes, each file/directory is owned by one user and one group). If you create a file it is automatically owned by the user you are logged in as and it’s default group. If a file is owned by you can read, modify, delete,  execute it.

What are 777 and 666 and why should I avoid them?

Permissions can be expressed in a number of ways but the easiest to understand is the numerical format. Each file has a “permission” consisting of 3 digits ranging from 0 to 7. The first digit refers to the permission for the owner, the second is the permission for the group that the owner belongs to and the third digit refers to every other user on the system. Each digit is a sum of the permissions for that user or group based on the following:

Read = 4

Write = 2

Execute = 1

So if a file is 600 it means that the owner can read and modify the file but cannot execute it and no other user can do anything with it.

755 (a common permission) means that the owner can read, write and execute the file but no other user can modify it at all.

666 means that the file is readable and writeable by everyone.

777 means that the file is readable, writeable and executable by everyone.

The latter two settings are to be avoided at all costs. Why, well say someone managed to exploit a script on your server that allowed access to the file system. That person may be running the script under, say, the Web Server user. If a file is 666 or 777 they would be able to modify that file and potentially inject malware into it. If a folder is 666 or 777 the user could create more files with malware. A very dangerous situation.

Workarounds

When installing your Joomla, WordPress, or other CMS based website, upload the entire zip file and extract using a web script, e.g. Akeeba’s excellent kickstart.php instead of uploading by FTP. That will ensure that all files are owned by the web server’s user. Note that all your virtual hosts will still be running in the same user space so it’s not exactly the most secure option, but it’s alot better than opening permissions.

Use SuPHP. SuPHP allows apache to run php files under another user. This would mean that one could isolate php execution for each virtual host using the Linux file system. It’s an excellent method to add security to your system. That said, I am not going to go into the details here as I find the next option (mod_itk) a much much more elegant solution as Apache itself is run with another user’s permissions – not just php scripts.

A more technical solution, but safer if you have multiple virtual hosts that you would like to isolate from one and other is to run Apache as a different user for each host. Note that you need the apache2 mod_itk extension to do this. It’s easy to install, e.g. on Debian a simple apt-get install apache2-mpm-itk should do the job. Here’s the cool part. In your virtualhost just use the AssignUserId directive to run apache2 as a different user for that host, e.g. I may have a host called MyCmsbloke.com that I want to run under the user account of “cmsbloke” and group “cmsblokeadmins”. In this case I used the following in the virtual host:

<ifModule mpm_itk_module>

AssignUserId cmsbloke cmsblokeadmins

</IfModule>

Remember to restart apache after you change these configs.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.