0

Generally with PHP, files/folders have a permission of 0777 when we want to write to them. suPHP forbids a permission of 0777. Instead, files are supposed to have a permission of 0644 and folders have a permission 0755. However, this is always worded differently

What is the exact rule and to what files does it apply to? If I have README file somewhere in a nested directory does its permission need to be updated, or does it only apply to .php files?

puk
  • 285
  • 1
  • 6
  • 18

1 Answers1

2

It depends on the ownership of the file/directory. Just remember, PHP under suPHP will access PHP scripts as the owner user, and those PHP scripts will operate as that user, meaning, everything they read or write is done as that user. So, PHP scripts only need to be owner-readable to run.

However, anything else not being a PHP script is accessed as the Apache user (they are not accessed by suPHP), meaning that user need at least read access to the files and read+execute access to directories. If those files are owned by a common user, they will need to be world-readable (and world-executable for directories). But if they are owned by the web server user (nobody, www-data, apache, depending on distro) they only need to be owner-readable/owner-executable.

A note for directories: Apache (when serving non-PHP files) will try to read every directory in the path searching for .htaccess files, if it cannot explore the directories, it will fail with a 403 error, even if the file is readable.

So, I think for most websites or web applications all files (PHP files and non-PHP files, and directories) would be owned by a single user, so the permissions would be:

  • PHP scripts: 0400 (u+r), or 0600 (u+rw) if PHP need to modify them.
  • non-PHP files: 0444 (ugo+r), or 0644 (u+rw,go+r) if PHP need to modify them.
  • directories: 0555 (ugo+rx), or 0755 (u+rwx,go+rx) if PHP need to create files in them.

Another note: even if you set 0400 for a PHP script, it can be modified by another PHP script owned by the same user, as it can simply run chmod from PHP, so a 0400 is not safer than 0644. This apply only when using suPHP.

MV.
  • 766
  • 7
  • 11
  • Generally I would avoid setting any file with executable code to anything with +w. At best the executing user should also have no rights to change the permissions. Otherwise someone exploiting the web application could easily inject custom code, which is worst case. – Jonas Schäfer Jun 17 '12 at 09:34
  • Yes, that's why some people don't like suPHP (or suEXEC), because any PHP script is run as its owner, allowing to modify anything (including permissions) owned by he/she, making impossible to really lock down the scripts using file permissions. On the other hand, it restrict any potential damage to only one user (that's why it is so popular in hosting servers). – MV. Jun 17 '12 at 09:46
  • Hm… Okay, so that limits it a bit. However, my experience and what I've heard from php I doubt that this works non exploitable ;). Jokes aside, I stick with selinux. Just thought I'd share my objections on +w on code files. – Jonas Schäfer Jun 17 '12 at 10:42