1

I'm on a shared host, and a bit confused about file permissions:

  • My website directory /home/user/www is owned by user:nobody
  • Everything inside /home/user/www is owned by user:user (?)

Most people would tell me I have to do the following (summarized):

chown -R user:nobody /home/user/www
find /home/user/www -type d -exec chmod 750 {} \;
find /home/user/www -type f -exec chmod 640 {} \;

But I can't `chown' anything, and since files will be owned by user:user, I don't know what the permissions should be.

I noticed I can chmod 600 some PHP scripts, while CSS stylesheets need to be world readable..?

I'm looking for the best security approach in this case! And please don't tell me I need to move to a dedicated server: why would I ask any question then!?

admirabilis
  • 1,605
  • 3
  • 11
  • 10
  • What does your hosting-provider's help-desk say? – RedGrittyBrick Apr 20 '11 at 13:52
  • They're very busy and have been answering to emergency requests only. I had a look at their Knowledgebase, and it says I should chmod my PHP scripts to 644 'in order to avoid problems'. Is the only security risk of making my files readable by everybody the ability of reading passwords etc.? If it is, then I would chmod everything to 644, and config.php I would chmod 600. – admirabilis Apr 20 '11 at 15:26

1 Answers1

1

The files in the site www subdirectory should be readable by the effective user-id of the running web-server. The Apache web-server often runs as user nobody, group nobody or user www-data, group www-data. So this user or group needs read permissions.

If the PHP scripts write to files, those files need to be writeable by the effective user-id of the running Apache service.

How exactly this is arranged depends on your hosting provider.

If the site is public and the scripts contain no passwords, no exploitable security loopholes (e.g. race conditions), it may be OK to give world-read permissions. I would aim to have all files owned by your personal user-id, not by a user "nobody" or "user". Only you should have write permissions on files in the www subdirectory (and it's subdirectories). Even if your site contains no personal or valuable data - you don't want it to become taken over by fraudsters or spammers.

A couple of useful resources are

RedGrittyBrick
  • 3,832
  • 1
  • 17
  • 23
  • Thanks, useful articles! From what I understood, PHP scripts are run as my_user (I tried a exec('whoami')), not by nobody, so it might be probably OK to leave them 600 (a few contain passwords). I think other files have to be left as 644 because the files don't belong to the apache group, and apache doesn't belong to my group. Am I wrong? When you said the files should be owned by the user-id: I tried chowning some files on my Debian machine as 1000:1000, but `ls -l' still shows username:username. Does it make any important difference? The server runs CentOS (Red Hat), though. Thanks – admirabilis Apr 20 '11 at 21:06
  • I realize you were not talking about the user number, but that the user name shouldn't be 'user'. It was just an example! – admirabilis Apr 22 '11 at 19:56