Managing permissions under Linux accounts
Managing file permissions
Managing file permissions for any platform is essential for the proper functioning of your website, and any hosted applications.
There are many issues (such as Internal Server Error) that may raise due to incorrectly set permissions, especially for any essential files that need to be accessed or executed by your application or hosted website.
There are several ways you can manage your permissions, depending on your web hosting account type.
cPanel - File Manager (best choice for shared accounts)
This is the easiest way to manage your file permissions, and the recommended way to avoid mistakes, and further confusions. Advanced users may explore other means to manage permissions. The following video tutorial covers how you can access, and use the File Manager tool available inside your cPanel control panel:
The following is a short guide on how to set permissions through your cPanel file manager
- Go to the "File Manager" inside your cPanel control panel.
- Then click the name of the file for which you'd like to adjust its permissions.
- Click on the "Change Permissions" link on the top right of your screen.
- Select the necessary permissions you would like to set, so that your files/apps function properly
- Then click on "Change Permissions" and you are ALL SET.
Managing permissions through FTP (advanced)
Since all of our cPanel accounts allow for FTP connections, you can adjust your file & folder permissions by using your favorite FTP client. For more information, please refer to your FTP client documentation. We do have a set of tutorials that can help:
Using SSH or a script
This can be done with chmod command.
So, what do these permissions and numbers mean?
File permissions determine what you are allowed to do and who is allowed to do it.
The columns are the three types of users. First is the Owner; the owner is you, the person who has access to the cPanel or shell. Second is the Group; the group is other people on your server. Third is the World; the world is any visitor from the public (think world wide web).
Each row represents a permitted action for this file (or folder). Read means the user is allowed to view the file. Write means the user is allowed to edit the file. Execute means the user is allowed to run the file.
It is very important that Group and World be able to view your website files. However, there are some files which you may not want anyone to see. If you remove the check for Read under Group and World, then the file will not show in anyone's browser (instead visitors will see a 403 Forbidden error).
In the File Manager, permissions are expressed as numbers. We are only concerned with 3 digits, so if you see 4 digits, then ignore the first one. Thus 0755 is the same as 755.
The numbers represent a combination of each unique permission. Also, the first of the three digits represents the permissions for the Owner. The second digit represents the Group. The third digit represents the World.
- Read is equal to 4.
- Write is equal to 2.
- Execute is equal to 1.
- No permissions for a user is equal to 0.
Thus...
- Write and Execute without Read is equal to 3.
- Read and Execute without Write is equal to 5.
- Read and Write without Execute is equal to 6.
- Read and Write and Execute is equal to 7.
At this point, all you need to know is that your files should always have permissions of 644 or 755. (For most files, it doesn't matter if you give the executable permission or not. You won't see any difference.)
However, folders must always be 755.
One more rule. Any files inside the cgi-bin folder must have 755 permissions.
Advanced
A common concern is using file permissions of 777.
MochaHost does not allow 777 on files which process server-side (i.e. PHP). However, many scripts require you to change your files to 777.
I can tell you that 755 will work in lieu of 777. You will not need to use 777 on PHP files or folders.
What's the big deal?
The concern is giving writable permissions to Group and World. This allows hackers from the world wide web to edit your files. Thus, the last two digits of file permissions should never be 2, 3, 6, or 7.
The problem is when you install a PHP script, the script needs permission to edit files. Traditionally, PHP is treated as 'nobody' on the server. Therefore, PHP is treated the same an any unknown visitor and must obey the permissions granted to World.
The solution to this conflict is to treat PHP as the Owner. MochaHost has done so by implementing a special PHP security environment known as suPHP (or phpSuExec).
With suPHP, all PHP scripts are allowed the same permissions as the Owner, and outside visitors are still restricted by the World permissions. Therefore, 755 is the perfect number; it allows all actions for PHP and only reading/viewing for potential hackers.
Other formats
Permissions can be expressed many ways. You have already seen the two-dimensional matrix and the 3 or 4 digit numbers.
However, if you prefer to use the Linux shell (SSH), then file permissions will look like this:
drwxr-xr-x
You can ignore the very first character; it represents the file type rather than permissions. Next, you see three letters which represent the Owner's permissions.
- r = read
- w = write
- x = execute
-
- (hyphen) = no permission
The Owner will normally have all three permissions, which is represented by rwx.
The next three characters represent the Group's permissions. Finally, the last three characters represent the World's permissions.
Notice that Group and World do not get the writable permission. In place of the 'w' will be a hyphen, meaning that write is definitely not allowed: r-x.
Here are some conversions to consider.
| Numerical Representation | Linux Representation | |
|---|---|---|
| 755 or 0755Recommended! | drwxr-xr-x | |
| 644 or 0644Recommended! | drw-r--r-- | |
| 700 or 0700 | drwx------ | |
| 777 or 0777Not recommended! | drwxrwxrwx |
Updated 4 months ago