Overview: File Permissions


  • Applies to: Most Linux servers
    • Difficulty: Medium to Hard
    • Time Needed: 20 minutes
    • Tools Required: SSH Access

READ ME FIRST

This article is provided as a courtesy; some of the material covered is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

Introduction

All (mt) Media Temple hosting products (read: servers) run some form of Linux. This article aims to go over some of the basics of file permissions. This is by no means a definitive and/or all-inclusive guide. Having said that, the concepts discussed should be applicable to most Linux systems, including our Grid, DV server, and (ve) Server.

Summary

Proper file permissions are an extremely important part of ensuring that your website is secure.

Determining the correct file permissions for any specific file requires one to know what type of information contained in the file and the purpose of that information. While it is impossible to give a generic answer that cover all use cases, you should follow these basic guidelines for files that reside in a web accessible location.

Getting Started

On a Linux-based system that is typical of web hosting services, file permissions are granted based on three categories:

  • user - A specific account on the hosting system. You can think of this in general as the person who uploaded or created the file.
  • group - group refers to a specific selection of one or more user. Every user belongs one default group.
  • other - other refers to any other account on the hosting system.

Each of these category can be granted access to preform the following actions on a file:

  • read - The ability to view the contents of a file or directory.
  • write - The ability to change the contents of a file or directory.
  • execute - The ability to ask the server to treat the file as a program.

Rule of Least Permissive

Never allow more access to a file than is absolutely necessary.

Directories or Folders

Only the user that a directory or folder belongs to should have write access. Everyone else should have read and execute permissions.

Sample command:

chmod 755 wp-content

Static Content

Document, image, video, and audio files all fall into the category of static content. The extension of a file can indicate if it is static content. Here is a list of some extensions that typically indicate a file is static content:

  • .html
  • .htm
  • .jpeg
  • .jpg
  • .gif
  • .png
  • .css
  • .js
  • .mpeg
  • .mgp
  • .mp3
  • .avi
  • .txt
  • .doc
  • .pdf

There are many more, but this is good starting point.

Only the user a static content file belongs to should have write access. Everyone else should have read permission. execute permissions are not harmful, but following the rule of least permissive, we don't want to grant that access.

Sample command:

chmod 644 index.html

Dynamic Content

Scripts or binaries that run on the server and generate web pages fall into the category of dynamic content. If you are using WordPress or some other CMS (content management system) for blogging, it falls into this category. Here is a list of some file extensions that indicate dynamic content:

  • .php
  • .php4
  • .php5
  • .cgi
  • .pl
  • .py
  • .rb

The user a dynamic content file belongs to should have read, write, and execute permissions. Nobody else should need any other permissions. The rule of least permissive is extremely important when it comes to these types of files as they often contain sensitive information such as database passwords.

Sample command:


chmod 700 script.php

Caveats

Every web hosting service is different. Much of this article was written with the Grid in mind. While the basic concepts are the same across many platforms, you will run into some differences. If you find yourself in that situation, fall back on the "Rule of Least Permissive".

Shell Scripts to Set Basic Permissions

Please note: These examples are only provided as a courtesy. Use them at your own risk.

This one looks for files with specific suffixes and changes them to a permissions level of 644.


find . -type f \( -iname '*.css' \-or -iname '*.htm*' \-or -iname '*.jpeg' \-or -iname '*.jpg' \-or -iname '*.gif' \-or -iname '*.png' \-or -iname '*.js' \-or -iname '*.mpeg' \-or -iname '*.mpg' \-or -iname '*.mp3' \-or -iname '*.avi' \-or -iname '*.txt' \-or -iname '*.doc' \-or -iname '*.pdf' \) -exec chmod 644 {} \;

This one looks for dynamic files (e.g., PHP scripts); it changes the ones it finds to a permissions level of 700.


find . -type f \( -iname '*.php*' \-or -iname '*.cgi' \-or -iname '*.pl' \-or -iname '*.py' \-or -iname '*.rb' \) -exec chmod 700 {} \;

Here is a handy script to change all directories on your filesystem to a permissions level of 755.


find . -type d -exec chmod 755 {} \;

Additional Resources