1

I need to set chmod for a file so that everybody can view the file, and only the web server holding it (or PHP script) can overwrite it.

What would be the correct chmod setting for this? Can you explain what groups are? Are they relevant for me?

halfer
  • 19,824
  • 17
  • 99
  • 186
mowgli
  • 2,796
  • 3
  • 31
  • 68

1 Answers1

0

Generally the file should be owned by, or be in the group of, the web server user. Assuming your web server runs under www-data, that would mean running this:

chmod u+w file.txt        # write access for the file's user
chmod ugo+r file.txt      # read access for user, group, other
chown www-data file.txt   # change owner

Or this:

chmod g+w file.txt        # write access for the file's group
chmod ugo+r file.txt      # read access for owner, group, other
chgrp www-data file.txt   # change group

The latter is useful if you wish to make the files writeable by an owner user - this is common if you wish to rsync the files, or perhaps git pull, under your normal account.

Note that users and groups are different things. The above examples take advantage of the fact that 'www-data' is a common user that is created by installing Apache, and 'www-data' is a common group that is also created at the same time. Yes, they are named identically, and are two different things!

You asked what a group is. It is normally used as a category for users, so for example a university might have groups called 'students' and 'staff'. Users can be added to any number of groups, so research students could arguably be added to both, for example, since they qualify as being in both categories. Membership of groups then allow system administrators to confer read and write privileges on a global basis, without having to worry about resetting users individually.

It's worth being careful with what you make writeable by the web server, especially files and folders that are within the normal document root. If there is a vulnerability in your web app, you don't want users being able to create PHP files via the web server, otherwise arbitrary remote execution may become possible.

To defend against this, if you are (for example) just uploading text files, do so outside of your document root, so they cannot be remotely executed. And if you are uploading images (which need to be in the doc root) disable the PHP engine for that directory.

halfer
  • 19,824
  • 17
  • 99
  • 186
  • Ok. I'm uploading images to the server (php), and sometimes overwriting (also via php). So if I set a file to chmod($file, 0646) after upload.. Will only the server/script be able to change/overwrite it? – mowgli Jul 31 '14 at 19:26
  • 646 = read/write for the owner, read for the group, and read/write for 'other'. So other users who have a Unix account on this server will be able to read/write it. However, if you trust other users on the box, you will be OK. Is this shared hosting though? If so, the last octal should be zero. Furthermore if the web server runs as the same user for all users, there are more security implications to consider. – halfer Jul 31 '14 at 19:29
  • (I'm not an expert on shared hosting permissions, since exact configurations vary from one to another. If you are hosting a serious service I tend to recommend a VPS anyway, as you have less security issues to worry about). – halfer Jul 31 '14 at 19:30
  • Yes it's a shared host. Hm ok I will make some tests.. but really, other users on host should never ever have access to other people's files. I cant see how that would happen (if the host is just minutely pro) – mowgli Jul 31 '14 at 19:32
  • "users on [the] host should never ever have access to other people's files" - on the contrary, it is often (but not always) a serious security issue with shared hosting. Have a look in the `/tmp` folder, for example - unless the host has secured it, you can probably fish out session data belonging to other web apps. Read [this](http://wiki.dreamhost.com/Enhanced_User_Security), [this](https://en.wikipedia.org/wiki/SuEXEC) and [this](http://shiflett.org/articles/shared-hosting) for more information about securing applications on shared hosts. – halfer Jul 31 '14 at 19:36
  • Ok. I'm getting closer to understand it now.. the thing is also, I'm testing on a mac (different CHMOD scope, group is not the "domain") and the live server treats group differently (group is the domain). So I see I have to use 2 setups for permissions. Thank you – mowgli Jul 31 '14 at 19:45
  • 1
    No worries. To emulate your environment more closely, consider using Vagrant, which uses Ubuntu running on VirtualBox by default. It is _extremely_ easy to set up. – halfer Jul 31 '14 at 19:47