Find the answer to your Linux question:
Results 1 to 7 of 7
My friend and I built a server and run it out of the data center he works in. Its more for fun than anything else since all the websites we ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2010
    Posts
    9

    Please Help Me Understand File Permissions


    My friend and I built a server and run it out of the data center he works in. Its more for fun than anything else since all the websites we run get virtually no traffic. So while security for us isn't a huge thing, I still want to learn more about it so we don't have problems in the future. We are running the latest Ubuntu.

    One of the problems we have consistently had is the file permissions. When I upload new files via FTP, the default permission setting is 600. Then I have to manually change the permissions to 775 or 777 to be able to view the files in the browser.

    Question 1:
    I know setting them to 777 is not the correct setting, so what should I be setting them at? Should different types of files have different settings?

    Question 2:
    How do I change the server so that the correct file permissions as assigned by default? Someone told me to change the umask settings, but that doesn't seem to do anything for files created via FTP.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    1) one approach would be to set the owner to the apache user and the group to the ftp group.
    The general permissions would be
    - 460 for files
    - and 570 for directories

    You need write for ftp, but in general apache only reads.
    And you have these two services separated, which is also good from a security point of view.

    There might be directories, that apache needs to write to.
    For example, if php/perl/cgi/etc is used to generate files or uploads are done or webdav is used.
    For these purposes the target directories -not the ones with the .php/etc files - should get 770.


    2) probably the umask is not set or set to strict for the environment your ftp daemon is started in.
    Which can (and should) be quite different to a regular user environment.

    Some ftp daemons offer control over user/group/permissions/umask in their config files.

    You might also consider dropping ftp altogether.
    Imho, it is an deprecated protocol, that just survived, because everyone is using it.
    It can be replaced with sftp or webdav
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    May 2005
    Location
    Palmdale, Ca
    Posts
    9

    Permissions 101

    Google "unix permissions' and have a learning experience.

    This stuff is best done in a terminal with such old-school stuff as ls -a and ls -l and the always hated man pages. With chmod and chown, you can either screw yourself, or everyone else.
    HTH!

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Feb 2009
    Posts
    14
    Changing Permissions - Symbolic
    Method

    ● To change access modes:
    chmod [-R] mode file
    ● Where mode is:
    u,g or o for user, group and other
    + or - for grant or deny
    r, w or x for read, write and execute
    ● Examples:
    ugo+r: Grant read access to all
    o-wx: Deny write and execute to others
    ex: chmod +x file1 - will make file executable


    Changing Permissions - Numeric
    Method

    ● Uses a three-digit mode number
    first digit specifies owner's permissions
    second digit specifies group permissions
    third digit represents others' permissions
    ● Permissions are calculated by adding:
    4 (for read)
    2 (for write)
    1 (for execute)
    ● Example:
    chmod 640 myfile

    *when setting executable permission, remeber to include "read" as well as "execute" permission on file.
    ex: chmod 755 myfile
    where 5 = 4 + 1


    Changing File Ownership
    ● Only root can change a file's owner
    ● Only root or the owner can change a file's
    group
    ● Ownership is changed with chown:
    chown [-R] user_name file|directory
    ● Group-Ownership is changed with chgrp:
    chgrp [-R] group_name file|directory

    ex: chown apache:apache /mydir/myfile
    * first apache is for user, and second apache is for group.

  6. #5
    Just Joined!
    Join Date
    Dec 2009
    Location
    California
    Posts
    98
    Ok, as for unix permissions, I've found the easiest way to remember this is using binary.... There are 12 different bits each representing a different permission on the file or directory. They are

    sstrwxrwxrwx

    The first three are setuid, setgid and sticky bit - I can explain these if you want, but they are irrelevant to the ftp discussion (except perhaps setgid on directories in your ftp directory structure).

    So that leaves us with 9 different permissions:
    rwxrwxrwx which are divided into three groups - the first for the owner of the file, the second for users who are part of the group associated with the file and the third for everyone else.
    Lets stick with files and avoid talking about directories as things get a bit confusing there. Clearly read permission lets you look at the contents of a file, write permission lets you write to the file and execute permission tells the shell that the file can be run as a program.

    As the people above mentioned, you can set permissions either with symbols:
    $ chmod u+x foobar

    or with octal. Now, as I mentioned, it's binary - each of the permissions is either set or not, if you want it set, then put in a 1 in the position and if you don't, but a zero.

    Assume we want the file to be readable by everyone, and writeable by the owner (very common):

    The perms would be:
    rw-r--r--
    110100100
    Now, convert each of the sets of three from binary to Octal:
    user = 110 = 6
    group= 100 = 4
    other = 100 = 4
    So, the command to set this would be:
    $ chmod 644 foobar

    Now, to get to the umask. The default permissions are 777 for directories and 666 for files, both modified by the umask. The umask is not subtracted from the permissions, it "masks" them.

    Here is an example. Lets assume I have my umask set to 022 (octal).

    remember my default perms are 666 for a file which is represented as:
    rw-rw-rw-
    110110110

    Just stick the umask in binary under this and move each bit on top to the result. The result is a one unless there is a one in the corresponding position in the umask, in which case, it's a zero.

    110110110
    000010010
    --------------
    110100100
    rw-r--r--

    So, as you can see, the result is 644....

    Same thing applies to directories....

    As for question #2, Can you tell me which ftp server you are running?

    I run vsftpd and it has a config file /etc/vsftpd/vsftpd.conf

    Most of the items in there are self explanatory but I had to add the following to mine:
    write_enable=YES
    #AWB
    anon_mkdir_write_enable=YES
    anon_other_write_enable=YES
    anon_upload_enable=YES
    anon_umask=022

    Notice that the umask is set to 022... which will result in publicly readable files so that apache can serve them.

  7. #6
    Just Joined!
    Join Date
    Jul 2010
    Location
    Myrtle Beach, SC
    Posts
    3

    question on this topic

    Setup:
    CentOS
    Apache 2.0
    VPS

    I have been messing with the file permissions and i have an image upload directory set to owner:group -> apache:ftpusergroup with permissions of 750 and the directory is performing perfectly. Is this setup safe to run?

    I heard somewhere that it is not favorable to have apache own files.. is this true? if so, why?

  8. #7
    Just Joined!
    Join Date
    Feb 2009
    Posts
    14
    hi BizLab

    in order for apache to function, it must have ability to read/write to relevant files.
    setting owner to apache is the best way, since the oposite is to set "others" to allow read/write, which in security perspective is unacceptable.

    also, 750 means following permissions:

    apache user/program - will have read/write/execute
    ftpusergroup: - read / execute
    others/world: - none

    also, if you are running CentOS linux, it is wise to enable SElinux to have improved security.
    Of course if this is a production system, and you have practiced SElinux before and know how to operate it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •