1

Ok, so I'm not really sure about the permissions when it comes to php, or any other language that is execution on the server side.

From what I know, a file has the following permissions: read, write, execute, they can be combined, like read and execute only, write only, and so on and so forth. There are three "types of users", so basically, read, write, execute permissions need to be set for each of them: users, that are: root, group, world. If I set the read permissions to "ON" for each one, theoretically, I should be able to download the php file, whoever I am, because all the users can read the file.

Did a little experiment on my local server. I have a file called a.php which contains the following code:

<?php
echo 'executed';
?>

I've set it's permissions to 333 which is -r--r--r--. Everybody that's accessing the file, can only read it. If I go to a.php using my browser, I just see executed which is the result of the echo from the php file, not the entire text. I am not really sure why this is happening, and not showing all the code. This is a really good thing in a way, because hackers won't be able to see the source code, even if you forget to disable the read permissions for example.

It's a mistery for me atm, if somebody could explain why this is happening, would really appreciate it. Thanks!

user1812076
  • 269
  • 5
  • 21
  • 1
    The answer to this question: http://stackoverflow.com/questions/2010623/unix-permissions-read-vs-execute-php-context explains how permissions work regarding PHP scripts. Not sure if it answers your full question, but it should be a good start. – War10ck Jan 23 '15 at 16:01

2 Answers2

1

That happens because of the web server (Apache, nginx, etc). When you "ask" for this file it checks its type and then guesses what to do. When it sees php it executes it, sending text/html header. If you want it to show code, don't execute it and return text/plain.

In your case the php interpreter (not the browser!) reads the file and then executes it. If you deny reading from this file it won't be able to do this.

ForceBru
  • 43,482
  • 10
  • 63
  • 98
1

The only time "execute" privileges are required is for old-school CGI scripts. Those are literally executed via a shell on behalf of the webserver. Every other file that your webserver accesses only needs "read" privileges.

PHP scripts are not "executed" as if they were program. The PHP plugin within the webserver READS the php code into memory and does the execution there. At no point is there ever really a "php program" running. As long as the file's readable, PHP can load the raw code, then parse/execute it.

Marc B
  • 356,200
  • 43
  • 426
  • 500