Permissions Explained

From TNG Wiki
Jump to: navigation, search

Most web servers use the Linux operating system, which has a more powerful protection system than Windows. Mac OS X uses almost the same system underneath (though one command differs). Understanding this can be important for making changes to config and other files.

Background

Linux (and Unix) divides users into three categories: the owner (User) of a file (u), users in the same Group as the owner (g) and everyone else (o, Others). For each set of users, permission can be given separately, to read a file (r), write to a file (w) and to execute a file (x). In this context, the x permission is important only for directories. If it is not set for a directory, the corresponding user can't use the directory in the normal way.

The "normal" setting for a file is then urw, gr, or, meaning that the user can read and write the file, anyone else can only read it. This is normally expressed as a 3-digit octal number, 644 (2 means write and 4 means read). For a directory the norm is 755 (1 means execute).

Web server

On the web server there are two users who need to write to files: you (meaning the FTP process such as Filezilla, or shell user) and the process that runs PHP. Usually these are the same (the SuExec facility in Apache ensures this) but they can be different.

However TNG support may involve another user on the same server being able to write to some files, such as those in the config directory. In this case, the files in question need to be 664 and the person in the same group.

For a home server using Linux or Mac OS X, it is also likely that the PHP process will have a different id. In this case it is possible to change all files in the TNG system to 664 and the directories to 775 (and to add the id under which php runs to a group which includes the user). On Linux this can simply be done with the command:

chmod -R 664 .

issued in the main TNG directory. However on Mac OS X this will also affect the directories, removing the x bit and making them unusable. On the Mac the correct command is

chmod -R ug+rwX,o+rX,o-w .

Here the capital X ensures the x bit is unchanged. (If you do this from a shell, it's worth making an alias, without the final dot, to remember this.)

Question

The following question by Al (ca_drm1n) and answer by Steve (svoght) was extracted from the TNG Community Forums

I checked out my host's help file on permissions, but am still fuzzy on how they work and relate to execution of php scripts when a visitor is on the site. They break the three sets into owner, group, and world, but I guess my confusion is who actually fits within these three sets. I struggle with understanding what permissions are being used as a user (logged in or otherwise) views the site with a web browser. Also not sure when the "execute" permission would ever be needed.

Answer

On actual PHP scripts (or CGI or Perl script), the execute flag is necessary in order to tell the server you have permission to run it. The config file isn't a script so you don't need to be able to execute it... just to read it.

With regard to owner/group/world: Owner: the creator (or uploader) of the files. Typically this is your username on your web host.

Group: there can be many uses for groups. On a web host, typically your group consists of

  • you (see above),
  • the web daemon (the "owner" of the web server, typicaly named "apache"),
  • and occasionally administrative users such as your mail daemon, anonymous FTP daemon, SQL daemon, etc.

This group enables your site to run all of the things you should be able to run (with the proper permissions and protections) while keeping out all the other end users on your shared server. Since the web server is the one actually doing the PHP processing, it needs to be able to access the important files such as config, which is why the group usually needs read/write privileges.

World: precisely what it sounds like -- everyone and anyone who could potentially write to the folder.

Permissions illustrated

drwxrwxr-x is the same as 775.

As a general education to those that don’t know much about Unix file permissions, the decoder ring looks something like this:

  • Drop the first character, it’s just telling you what kind of “thing” the entry is. ‘d’ for directory, ‘l’ for link, ‘-‘ for a file.
  • Next are three sets of three characters, each set representing the permissions for the owner, group members, and everyone else, respectively.
  • Each of the three characters represents the permissions for read, write, and execute for that person/set of people. For this directory, we have:
  • Each of these textual representation can be translated to a binary value, as then to an octal digit. These octal digits are what you often see when referring to permissions (755, 644, etc).

The following table gives a complete summary of the possible combinations.

Permission Octal Values Explained
Octal digit Text equivalent Binary value Meaning
0 --- 000 All types of access are denied
1 --x 001 Execute access is allowed only
2 -w- 010 Write access is allowed only
3 -wx 011 Write and execute access are allowed
4 r-- 100 Read access is allowed only
5 r-x 101 Read and execute access are allowed
6 rw- 110 Read and write access are allowed
7 rwx 111 Everything is allowed

So for the directory in question, you would break it down as:

  • owner: rwx = 111 = 7
  • group: rwx = 111 = 7
  • other: r-x = 101 = 5

Final answer = 775

This information was provided by Bret Rumsey on the user2 list on 20 Feb 2009

Related Links

The following provide additional security measures:

Controlling Site Access

Protecting Resources

Checking your site for Malware