glFusion Wiki

Site Tools


glfusion:permission_tutorial

Permissions 101

File and directory permissions on a shared hosting site and much more complicated than most folks realize. Generally you will hear people say set the permissions to 777 and everything will work. While this is generally true, it is also less secure. This overview will provide you with a little more knowledge on how directory and file permissions work on Unix / Linux based hosting accounts.

Parts of the Permission Puzzle

Permissions have 3 main components:

  • Owner
  • Group
  • Permissions setting (generally a number like 777 or 644).

Every file and directory has a set of permissions for:

  • User: The user that owns the file.
  • Group: The users that belong to the group which the file belongs.
  • Others: Any other user not in one of the two preceding classes.

So a permission setting of 755 would equate to:

  • User: 7 permission
  • Group: 5 permission
  • Others: 5 permission

What do these number mean, let's take a closer look. There are 3 basic types of permissions:

  • Read
  • Write
  • Execute

Read is represented by the number 4
Write is represented by the number 2
Execute is represented by the number 1

To get a 7 permission, that is:

Read:    4
Write:   2
Execute: 1
----------
         7

A 5 permission is:

Read:    4
Execute: 1
-----------
         5

So, if you just wanted the owner of the file to be able to read and write (not execute), the permission would be:

Read:    4
Write:   2
-----------
         6 - This gives a user read and write access.

If you break down the number 644 what that means is:

  • Owner gets read / write (that is what 6 means).
  • Group gets read (that is what 4 means).
  • Everyone else get read (that is what the last 4 means).

So, when you look at a file (let's use mgmedia.rss as our example), it has an owner and a group associated with it. If you had shell access to the system and did an ls -l you would see something like:

-rw-rw-r--   1 www wwwdata   993 May 30 13:35 mgmedia.rss
 

This tells use that the permissions are:

Owner - rw Group - rw Everyone - r

The owner of the file is www the group is wwwdata.

The next key piece of information we really need to know is what user and group the web server is configured to run as. Let's say in our example the web server runs as user www.

Since the web server is user www and the owner permission for mgmedia.rss is rw, that means that 644 is plenty of permissions to allow the web server to write to that file.

In many cases, the user that you use to FTP the files to the server is different than the user the web server is running as. In these cases, you may have to grant 777 permissions (giving everyone the 7 perm which is read, write, execute) to make things work.

What happens when new files are created by PHP / Web Server

There is another permission term we need to understand, that is umask. The user file-creation mode mask (umask) is used to determine the file permission for newly created files. It can be used to control the default file permission for new files.

So, depending on how your host has things configured and the umask set, it is possible that newly created files do not get created with permissions that the web server can later write with.

The moral of this post is that maybe using 777 isn't the best approach. If possible find out what user and group the web server is running as and then change the owner or group of the file (or directory) to match, leaving the 644 permission instead of giving 'everyone' the write permission.

It is confusing and complicated and the worst part is that you may never really know what user the web server is configured to run as which makes the whole permission puzzle that much more difficult.

glfusion/permission_tutorial.txt · Last modified: 2017/04/12 21:09 (external edit)

Page Tools