1

I have a file test.php. This write to log.txt in a sub folder log.

I have tried some combinations and it seems minimum is 007 for the folder and 006 for the log. Is this perfect?

Shaun
  • 4,789
  • 3
  • 22
  • 27
David19801
  • 11,214
  • 25
  • 84
  • 127

4 Answers4

1

I wouldn't call it perfect, it depends on what you're trying to accomplish and how your users are setup... thats not exactly minimum either. With that setting EVERYONE can read write and execute for the directory. And EVERYONE can read and write the file.

If you can, the file log.txt should already exist, then you don't need to up the permissions on the folder at all. And I'd only allow read and write on the file for the specific users and groups who need the rights. Its also a good idea to keep writable data above the web root, then if someone does manage to get something into it that shouldn't be there, its not directly accessible on the web.

profitphp
  • 8,104
  • 2
  • 28
  • 21
1

First off, test.php should likely execute as a specific user in a user group to whom you give permissions.

Second, you should give permission to write to that group, rather than everyone. The three digits in a permission octal give permission to the owner, group, and everyone else. As you have set your permissions, you're basically letting everyone view your logs and execute stuff in your log folder.

You probably want to give the owner and group full permission to the folder and read/write to the log file while also keeping other people out of the folder. That being the case, you want to set the permissions for the folder at 770 and the file as 660. As long as test.php executes as the user or the group who owns log.txt, it'll work fine and keep prying eyes out.

Shaun
  • 4,789
  • 3
  • 22
  • 27
  • Rather than 770 on the folder, it'd be better if the log.txt already existed, it doesn't sound like its for an upload script or something like that, so that should work. Also notable, the log folder, would be better off residing above the web root. – profitphp Jan 20 '11 at 23:16
  • I've moved the log file to above the public folder, but it still only works with 006. If it is outside the public folder, is it ok to leave it as 006? – David19801 Jan 20 '11 at 23:21
  • @david Moving it outside the web root is really just an added security measure, and doesn't have much to do with what you're doing. It doesn't make the 006 more secure or restrictive. – profitphp Jan 20 '11 at 23:23
  • I checked user data, it says I am running as root root – David19801 Jan 20 '11 at 23:36
  • Typically, you don't want scripts or services on any system running as the root user. It's best to run them from an account with lower permissions, such as the user created by your web service ('apache', for example). You'd then want to change the owner and group of the directories and files appropriately. – Shaun Jan 20 '11 at 23:47
  • But how do I make a group? I tried asking on server fault, 1 random answer...does not work. So how to make a user group or run php as something other than root? – David19801 Jan 20 '11 at 23:51
  • I found your question on serverfault and provided you with some additional detail: http://serverfault.com/questions/224931/set-file-permissions-for-php-script/224960#224960 – Shaun Jan 21 '11 at 00:23
0

This is in no way perfect. It means everyone can write to the directory, and everyone is permitted to read and write to the log file.

You should determine the user for which the PHP processes are spawned and set file/directory ownership accordingly. In almost any case, 0700 and 0600 for directory and file, respectively, is sufficient.

Linus Kleen
  • 33,871
  • 11
  • 91
  • 99
0

007 and 006 are almost definitely not what you want. In file permissions, the last digit is the code for 'world', which is everyone that isn't you.

If your web server is configured with suid or something similar, you can set your permissions to be 770 or 660, or possibly even 700 or 600. These permissions are much more restrictive, which is what you want.

Kevin Lacquement
  • 5,057
  • 3
  • 25
  • 30