Are C5 files installed with appropriate permissions by default?
Permalink
Just finished up my first web site using C5 v5.5, but as a unix noob, I just want to know that file security is set correctly. Does the default install set php file security appropriately? With my new php files in the theme folder, I have found all kinds of security on them, including
0755
0745
0705
0704
0644
0605
0604
I'm not sure why they all came out different. Should all php files be set for 755? Why is read almost always allowed? Things seem to work even if set for public to execute only (no read) or vice versa, read but no execute.
TIA
0755
0745
0705
0704
0644
0605
0604
I'm not sure why they all came out different. Should all php files be set for 755? Why is read almost always allowed? Things seem to work even if set for public to execute only (no read) or vice versa, read but no execute.
TIA
Anybody home?
I'm not sure whether you're not sure what those numbers refer to but as you said that you're "a unix noob", I'll briefly add here what they mean and then answer to your question.
The number orders in the 0755 is (do not care about the first number): owner, group, others.
4 = read (r)
2 = write (w)
1 = execute (x)
0 = no permission (-)
E.g. read+write+execute = 4+2+1=7
E.g. read+write = 4+2=6
E.g. read = 4
Why are they different: probably because you've had different linux users modifying different files and probably the original permissions have been 755 for your whole installation folder.
What you should have there: depends on where you're moving your site.
- If you have total control over the system, it is PROBABLY fine if you set the permissions to 755
- If you're setting up a shared hosting environment, I'd suggest disabling everything for OTHERS. However, some cheaper shared hosts might be setup so that the web process requires others access. Also, on some shared hosts all the accounts might belong to the group that is set for those files, so leaving access for groups makes no difference as leaving access for OTHERS
- The most secure way (you must be quite concerned in this situation) would be to allow the web server process to
a) read all the files in your concrete5 installation
b) read+write at least to directories files/ and packages/ (post-install, some functionality might also need access to other locations as well)
c) read+execute the scripts that need to be executed (e.g. /concrete/libraries/3rdparty/htmldiff.py <-- this is usually enough, but again depends on your setup)
I know there might also be others arguing what I've written here (and most likely there will) but I just hope you can grab the idea here:
There is not a single "right answer" to your question, it all depends on which kind of environment your setting up your site. Usually you should be mostly concerned about these issues when you have a shared hosting environment.
Best,
Antti / Mainio
The number orders in the 0755 is (do not care about the first number): owner, group, others.
4 = read (r)
2 = write (w)
1 = execute (x)
0 = no permission (-)
E.g. read+write+execute = 4+2+1=7
E.g. read+write = 4+2=6
E.g. read = 4
Why are they different: probably because you've had different linux users modifying different files and probably the original permissions have been 755 for your whole installation folder.
What you should have there: depends on where you're moving your site.
- If you have total control over the system, it is PROBABLY fine if you set the permissions to 755
- If you're setting up a shared hosting environment, I'd suggest disabling everything for OTHERS. However, some cheaper shared hosts might be setup so that the web process requires others access. Also, on some shared hosts all the accounts might belong to the group that is set for those files, so leaving access for groups makes no difference as leaving access for OTHERS
- The most secure way (you must be quite concerned in this situation) would be to allow the web server process to
a) read all the files in your concrete5 installation
b) read+write at least to directories files/ and packages/ (post-install, some functionality might also need access to other locations as well)
c) read+execute the scripts that need to be executed (e.g. /concrete/libraries/3rdparty/htmldiff.py <-- this is usually enough, but again depends on your setup)
I know there might also be others arguing what I've written here (and most likely there will) but I just hope you can grab the idea here:
There is not a single "right answer" to your question, it all depends on which kind of environment your setting up your site. Usually you should be mostly concerned about these issues when you have a shared hosting environment.
Best,
Antti / Mainio
Thanks very much for your reply Mainio. I'm a little confused when it comes to permissions on the php files. I believe I understand the meanings of the numbers, such as 755, what confuses me is how to make sure the web server has access while "others" don't. My assumption is that the "owner" is based on my login credentials on my ISP's hosting environment, and that the permissions on a file apply to other logins as well as the web server... is that not correct? Example: If I have a php file with a SQL statement in it that I want the web server to execute, but I do not want anyone else to be able to view or list. What should I set the permissions to so that 1) only I can view/edit it, 2) the web server can execute it, and 3) nobody else can view/list it? Would that be 700? What if my ISP requires the ability to read it or write to it as well... what would the permission be for the file then?
Thanks in advance
Thanks in advance
