Default permission for files on linux server is 644, that means it is readable by everyone. I read some articles suggesting to change permission for config files to 600. Does it mean that there are some way for hacker to view code inside a php file if it has read permission enabled?
Is there any way hacker can make use of 644 permission of a file?
"Readable by everyone" includes hackers that roam around on your server, so yes a hacker is able to read the file contents if (s)he gained access to your server. If the hacker even gain root permissions on your server, the permissions do not matter, as (s)he can read all files.
If the hacker does not have direct access to your server, but instead tries to hack your website (or other online (PHP) service you provide), the hacker is able to gain access to the file if your service somehow (erroneously) provides the content of the file (e.g. by including some file that was not supposed to get included). Assuming that the service is not running with root permissions, the file permissions are also able to prevent the service (and thus hacker) to read the content.
For example, assume you want to count the downloads of your files, you could use:
$download = $_GET['download'];
updateDownloadCounter($download);
// Send file to user
readfile($download);
If a 'hacker' uses download.php?download=/etc/shadow your servers passwords (well at least the hashes of the user accounts) are send to the 'hacker' as a nice download. (Hacker seems too flattering for this obvious example :P )
Setting the file permissions to 600 helps in preventing hackers to read the files content, as php does have root permissions and is unable to read the contents of the file.
Note that there are lots of more ways to get the contents of your files, so just/only setting permissions is not enough to guarantee your safety.
