Community Wiki

From (mt) Community Wiki

Summary

Proper file permissions are an extremely important part of ensuring that your website is secure. Determining the correct file permissions for any specific file requires one to know what type of information contained in the file and the purpose of that information. While it is impossible to give a generic answer that cover all use cases, you should follow these basic guidelines for files that reside in a web accessible location.

Linux file permissions overview

On a Linux and other Unix based operating systems typical of web hosting services, file permissions are granted based on three categories:

• user - A specific account on the hosting system. You can think of this in general as the person who uploaded or created the file.
• group - group refers to a specific selection of one or more user. Every user belongs one default group.
• other - other refers to any other account on the hosting system.

Each of these category can be granted access to preform the following actions on a file:

• read - The ability to view the contents of a file or directory.
• write - The ability to change the contents of a file or directory.
• execute - The ability to ask the server to treat the file as a program.

Rule of Least Permissive

Never allow more access to a file than is absolutely necessary.

Directories or Folders

Only the user that a directory or folder belongs to should have write access. Everyone else should have read and execute permissions.

Sample command

chmod 755 wp-content

Static Content

Document, Image, Video, and Audio files all fall into the category of static content. The extension of a file can indicate if it is static content. Here is a list of some extensions that typically indicate a file is static content:

• .html
• .htm
• .jpeg
• .jpg
• .gif
• .png
• .css
• .js
• .mpeg
• .mgp
• .mp3
• .avi
• .txt
• .doc
• .pdf

There are many more, but this is good starting point.

Only the user a static content file belongs to should have write access. Everyone else should have read permission. execute permissions are not harmful, but following the rule of least permissive, we don't want to grant that access.

Sample Command: chmod 644 index.html

Dynamic Content

Scripts or binaries that run on the server and generate web pages fall into the category of dynamic content. If you are using Wordpress or some other software for blogging, it falls into this category. Here is a list of some file extensions that indicate dynamic content:

• .php
• .php4
• .php5
• .cgi
• .pl
• .py
• .rb

This is just a list of some of the more common file extensions that indicate dynamic content.

The user a dynamic content file belongs to should have read, write, and execute permissions. Nobody else should need any other permissions. The rule of least permissive is extremely important when it comes to these types of files as they often contain sensitive information such as database passwords.

Sample command

chmod 700 script.php

Caveats

Every web hosting service is different. This was written with the (gs)Grid-Service platform in mind. While the basic concepts are the same on any platform, you will run into some differences. If you find yourself in that situation, fall back on the rule of least permissive.

Permissions Table

Shell Script (or via SSH) to Quickly Set Permissions

find . -type f \ \( -iname "*.css" \ -or -iname "*.htm*" \ -or -iname "*.jpeg" \ -or -iname "*.jpg" \ -or -iname "*.gif" \ -or -iname "*.png" \ -or -iname "*.js" \ -or -iname "*.mpeg" \ -or -iname "*.mpg" \ -or -iname "*.mp3" \ -or -iname "*.avi" \ -or -iname "*.txt" \ -or -iname "*.doc" \ -or -iname "*.pdf" \ \) -exec chmod 644 {} \;

find . -type f \ \( -iname "*.php*" \ -or -iname "*.cgi" \ -or -iname "*.pl" \ -or -iname "*.py" \ -or -iname "*.rb" \ \) -exec chmod 700 {} \;

find . -type d -exec chmod 755 {} \;

Notes/Supplemental

• (mt):Security resources
• http://en.wikipedia.org/wiki/Filesystem_permissions
• For WordPress: http://codex.wordpress.org/Changing_File_Permissions