An Introduction to Linux File Permissions January 11th, 2010

File permissions in Linux differ from Windows, and understanding more about them can protect you from quite a few malicious users out there. Unlike Windows where file permissions in this sense don’t exist, Linux is designed to be a multi-user system. This is what makes Linux itself the ideal for hosting multiple websites; the server software is designed for different users to be working at the same time. For the system to work, Linux needs to know two key pieces of information about each and every file: what can be done to a file and who can do it to the file.

To accomplish this, the Linux gurus built a permissions system based on a few letters: r (read), w (write), and x (execute). Each option does pretty much what it says. With read permissions granted, the file can be read. Write permissions on a file mean that you can change/edit the file and save those changes. Execute permissions are for things like CGI scripts where you can actually run the script.

To give you an idea of how this works, let’s look at typical output (from shell) for file permissions. We obtain this information using the command ls –la which will output some potentially foreign looking information if this is your first time:

-rw-r--r-- 1 domainowner domainowner 193 Sep 18 24:19 index.html
drwxr-xr-x 2 domainowner domainowner 4096 Sep 15 02:57 data/

You can see the letter permissions that I spoke about a bit earlier, but the confusing part is that there looks to be multiple versions of that information. If that’s an observation that you made, congratulations, you’re pretty sharp. While Linux has a unique three-pronged letter permission system, it also has a three-pronged user section where it informs the server who can do what.

The very first single letter is to designate whether the item is a directory (think Windows folder) or a file. It will have, naturally, a d for directory and will be blank for a file. Linux performs this task automatically, so no worries about assigning a d are necessary. The next three sets of three are where the meat of file permissions really lies. The first three are the owner permissions(the file creator = the owner), the second three the group permissions, and the final three are the public (everyone else) permissions.

Take the file listed above. The owner (domainowner) has permissions to read the file and write it. The group and public can only read it. The reason for this is security. If anyone and everyone can write the file, imagine the abuse!

Now the next caveat I’ll share is the cause of many support tickets. Unlike other hosts, Idologic runs a type of hardened PHP setup known as suPHP. Unfortunately, many manuals tell you to do crazy things like run your website with files with 666 and folders with 777 permissions. What these numbers mean is basically a type of shorthand for file permissions. IE: 7 indicates that everyone can do everything. So when you run 777 permissions, everyone can read and write the file! That’s completely insecure and one of the leading ways to wake up to a defaced website.

Here are the numbers with their values:
0 No permissions whatsoever
4 Read
5 Read / execute
6 Read / write
7 Read / write / execute

The values you want to routinely use are as follows: 644 for HTML/PHP/etc. files, 755 for directories, and 755 for CGI scripts. 644 is the ideal because these types of files don’t require execute permissions. 755 for CGI scripts because they must execute to work.

Jumping back to suPHP, it requires only 644 permissions because the files are run as the owner. This makes for a much more secure environment and eliminates the need for those risky 777 permissions.

Last but not least, you’re going to need to know how to change file permissions. This is done in the shell with the command chmod. There are a variety of ways, but for the novice I recommend simply using the numbers to chmod files. To chmod a PHP file, the command is: chmod 644 index.php. If you use FTP, the trick is to typically right click the file and there will be a link either called “chmod” or “file permissions” to click and then input the values.

If you understand this information, congratulations! You now understand the basics of Linux file permissions, and you’re already on the path to better securing your website. As always, Idologic support is available on the helpdesk should you need any help at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *