Setting file and directory permissions

From phpCMS

Contents 1 Setting file and directory permissions 1.1 Basics 1.2 Three typical service provider setups 1.2.1 Generic example 1.2.2 Setup example #1: The web server runs with the user's permissions 1.2.3 Setup example #2: The web server runs under his own set of permissions, but is member of the same group as the user 1.2.4 Setup example #3: Neither group permissions nor user permissions of the server and the user are identical. 1.3 Final settings

[edit] Setting file and directory permissions

In order to enable the web server or PHP to access all files, they need to have the appropriate access rights to those files. We will now set those permissions.

This chapter only deals with Linux. Microsoft Windows also has a system of user permissions, but this is unfortunately very often either ignored or not properly configured by the administrator.

There are two ways to accomplish this: The first, faster method is based on the principle that firstly everything is allowed, and after that the permissions for certain directories/files are restricted. The second method works the other way round. Here we use the first method It is not quite as secure as the second one but you will much faster end up with a running phpCMS system.

[edit] Basics

Before we start to actually set the permissions, we should first have a brief look into the permissions system of Linux and the UNIX-based systems in general.

Linux differentiates between three categories:

1. The first category normally only comprises the owner of the file.
2. The second category covers all those users, who have the same field of activity or the same rights on the system as the owner of the file. They are all assigned to a (i.e. the same) group.
3. The third category comprises everybody else, i.e. others.

To all those categories, one can separately grant or deny permissions.

The permissions in turn are divided into the right to read a file, to write (or alter or delete) it, or to execute it (in case of an executable file (script) or a directory). If some user (or the group he belongs to) has no executable permission to a directory, he cannot access the files in that directory, he can’t even list them.

The permissions are often abbreviated in the programs like: read = r or 4; write = w or 2, execute = x or 1 (the digits represent the octal equivalent of the permissions) Multiple rights are combined: Read and execute = r-w or 5 [= 4+1]

These permissions are attributed for every file or directory individually to owner, group and others, in octal representation making up for a block of three digits plus (normally) a leading ‘0’. Of all the combinations possible in that system, only a few are really used on a web server. Those most commonly used permissions are listed in the following table:

Octal number	Description
644	The owner has reading and writing rights, his group and all others only have reading rights. This is the most used form. It allows in any case that the file can always be read by the web server too
755	The owner has all rights, his group and all others only have reading and executing rights. This form is used quite often too. It allows that for example a directory can be accessed by everybody, i.e. also by the web server.
777	Everybody (i.e. others) has full rights. This form of permission is very risky, but quite often you cannot avoid using it on a shared server. You must use this form whenever the web server needs to write into a directory, as it is the case for the statistics or the cache. If you want to use the online editor, all files that you want to be editable have to have that form of permissions. In rare cases and depending on how the server is set up, it could well be that you do not have to grant permissions to ‘others’. Sometimes the web server is running with the rights of the web space owner. In that case it is also not necessary to open up permissions to everybody.

[edit] Three typical service provider setups

Typically there are three possibilities for a web server to run in relation to the user:

1. The web server runs with the user's permissions.
2. The web server runs under his own set of permissions, but is member of the same group as the user.
3. Neither group permissions nor user permissions of the server and the user are identical.

After we now have clarified a lot of basic information, we can proceed to set the permissions for our phpCMS system.

Under Linux, you use the command chmod on the console for that purpose. But not everybody has 'shell access' to his server. In that case you can fall back on most of the FTP client programs' possibility to set permissions for directories and files, sometimes accessible via a right-click menu under permissions or attributes. In the final result there is no difference in how you set the permissions. A little later we will explain how it is done via a shell access, but you can easily translate these explanations to the settings used in your FTP client program.

[edit] Generic example

Before we will work on a real example we will explain what permissions a web server needs for the directories and files of the phpCMS system in order to run that system successfully. We will presume a standard installation as explained in the previous chapter, i.e. the parser is located in the directory /parser/.

The directory /parser/.itself and all its subdirectories need at least read and execute rights. (Remember: execute rights for a directory means that access to the files in that directory is allowed.) All files contained in those directories need at least read permissions. On top of that the following subdirectories of /parser/ need write permissions: cache/, stat/, stat/current, stat/backup, temp/, and session/. Furthermore the following files have to be writable by the web server: /parser/stat/current/stat.txt, /parser/include/default.php und /parser/include/defaults_indexer.php.

If there are no read permissions attributed to the two latter files, phpCMS cannot be configured via the net and a browser. This scheme fits for all three provider setups mentioned before.

Now we will explain in detail how to set these permissions, considering all three above mentioned setups separately. We will quite often use the find command.

Here we use it to execute a command on all the objects of type file or directory. find recursively drills down from the directory passed as first parameter. The actual command to be executed is given after the parameter -exec. In our case that is the command chmod, the one used to set permissions. That command in turn takes the permissions to be attributed to the directories or files in the form of octal number. All the following examples presume that the document root directory is the current one we are working in.

[edit] Setup example #1: The web server runs with the user's permissions

In this example the owner has no write permissions for most of the directories and files. This can be corrected in changing the permissions from ‘400’ to ‘600’ and from ‘500’ to ‘700’ respectively.

# use find to set permissions for all directories 
# 'parser' is the name of the start directory 
# the command after -exec is the one executed for each directory found
# 'only owner can access and read files in the directories'
find parser -type d -exec chmod 500 {} ';'
# set permissions for all files
# 'only owner can read files'
find parser -type f -exec chmod 400 {} ';'
# set permissions for the 'cache', 'temp', and 'session' directory
# 'only owner can access and read and write files in the directories'
chmod 700 cache temp session
# set permissions for the 'stat' directory and its subdirectories
# 'only owner can access and read and write files in the directories'
find stat -type d -exec chmod 700 {} ';'
# set permissions for some special files 
# 'only owner can read and write files'
chmod 600 parser/stat/current/stat.txt
chmod 600 parser/include/default.php
chmod 600 parser/include/defaults_indexer.php

[edit] Setup example #2: The web server runs under his own set of permissions, but is member of the same group as the user

# use find to set permissions for all directories 
# 'parser' is the name of the start directory 
# the command after -exec is the one executed for each directory found
# 'owner can access and read and write files in the directories'
# 'group of owner can access and read files in the directories'
find parser -type d -exec chmod 750 {} ';'
# set permissions for all files
# 'owner can read and write files'
# 'group of owner can read files'
find parser -type f -exec chmod 640 {} ';'
# set permissions for the 'cache', 'temp', and 'session' directory
# 'owner and his group can access and read and write files in the directories'
chmod 770 cache temp session
# set permissions for the 'stat' directory and its subdirectories
# 'owner and his group can access and read and write files in the directories'
find stat -type d -exec chmod 770 {} ';'
# set permissions for some special files 
# 'owner and his group can read and write files'
chmod 660 parser/stat/current/stat.txt
chmod 660 parser/include/default.php
chmod 660 parser/include/defaults_indexer.php

[edit] Setup example #3: Neither group permissions nor user permissions of the server and the user are identical.

This would be the most common setup to be found.

# use find to set permissions for all directories 
# 'parser' is the name of the start directory 
# the command after -exec is the one executed for each directory found
# 'owner can access and read and write files in the directories'
# 'group of owner and others can access and read files in the directories'
find parser -type d -exec chmod 755 {} ';'
# set permissions for all files
# 'owner can read and write files'
# 'group of owner and others can read files'
find parser -type f -exec chmod 644 {} ';'
# set permissions for the 'cache', 'temp', and 'session' directory
# 'owner, his group, and others can access and read and write files in the directories'
chmod 777 cache temp session
# set permissions for the 'stat' directory and its subdirectories
# 'owner, his group, and others can access and read and write files in the directories'
find stat -type d -exec chmod 777 {} ';'
# set permissions for some special files 
# 'owner, his group, and others can read and write files'
chmod 666 parser/stat/current/stat.txt
chmod 666 parser/include/default.php
chmod 666 parser/include/defaults_indexer.php

[edit] Final settings

For most cases all necessary file permissions are now granted.

If you want, you can remove the files dummy.txt from the directories /parser/cache/, /parser/stat/, /parser/temp/, and /parser/session/. These files have served their purpose (to ensure that during the extraction from the archive the directory they are in is created which is not always the case if a directory is completely empty) and are no longer needed.