Results 1 to 7 of 7
My friend and I built a server and run it out of the data center he works in. Its more for fun than anything else since all the websites we ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 07-09-2010 #1
- Join Date
- Mar 2010
Please Help Me Understand File Permissions
My friend and I built a server and run it out of the data center he works in. Its more for fun than anything else since all the websites we run get virtually no traffic. So while security for us isn't a huge thing, I still want to learn more about it so we don't have problems in the future. We are running the latest Ubuntu.
One of the problems we have consistently had is the file permissions. When I upload new files via FTP, the default permission setting is 600. Then I have to manually change the permissions to 775 or 777 to be able to view the files in the browser.
I know setting them to 777 is not the correct setting, so what should I be setting them at? Should different types of files have different settings?
How do I change the server so that the correct file permissions as assigned by default? Someone told me to change the umask settings, but that doesn't seem to do anything for files created via FTP.
- 07-09-2010 #2
1) one approach would be to set the owner to the apache user and the group to the ftp group.
The general permissions would be
- 460 for files
- and 570 for directories
You need write for ftp, but in general apache only reads.
And you have these two services separated, which is also good from a security point of view.
There might be directories, that apache needs to write to.
For example, if php/perl/cgi/etc is used to generate files or uploads are done or webdav is used.
For these purposes the target directories -not the ones with the .php/etc files - should get 770.
2) probably the umask is not set or set to strict for the environment your ftp daemon is started in.
Which can (and should) be quite different to a regular user environment.
Some ftp daemons offer control over user/group/permissions/umask in their config files.
You might also consider dropping ftp altogether.
Imho, it is an deprecated protocol, that just survived, because everyone is using it.
It can be replaced with sftp or webdavYou must always face the curtain with a bow.
- 07-10-2010 #3
- Join Date
- May 2005
- Palmdale, Ca
Google "unix permissions' and have a learning experience.
This stuff is best done in a terminal with such old-school stuff as ls -a and ls -l and the always hated man pages. With chmod and chown, you can either screw yourself, or everyone else.
- 07-10-2010 #4
- Join Date
- Feb 2009
Changing Permissions - Symbolic
● To change access modes:
chmod [-R] mode file
● Where mode is:
u,g or o for user, group and other
+ or - for grant or deny
r, w or x for read, write and execute
ugo+r: Grant read access to all
o-wx: Deny write and execute to others
ex: chmod +x file1 - will make file executable
Changing Permissions - Numeric
● Uses a three-digit mode number
first digit specifies owner's permissions
second digit specifies group permissions
third digit represents others' permissions
● Permissions are calculated by adding:
4 (for read)
2 (for write)
1 (for execute)
chmod 640 myfile
*when setting executable permission, remeber to include "read" as well as "execute" permission on file.
ex: chmod 755 myfile
where 5 = 4 + 1
Changing File Ownership
● Only root can change a file's owner
● Only root or the owner can change a file's
● Ownership is changed with chown:
chown [-R] user_name file|directory
● Group-Ownership is changed with chgrp:
chgrp [-R] group_name file|directory
ex: chown apache:apache /mydir/myfile
* first apache is for user, and second apache is for group.
- 07-10-2010 #5
- Join Date
- Dec 2009
Ok, as for unix permissions, I've found the easiest way to remember this is using binary.... There are 12 different bits each representing a different permission on the file or directory. They are
The first three are setuid, setgid and sticky bit - I can explain these if you want, but they are irrelevant to the ftp discussion (except perhaps setgid on directories in your ftp directory structure).
So that leaves us with 9 different permissions:
rwxrwxrwx which are divided into three groups - the first for the owner of the file, the second for users who are part of the group associated with the file and the third for everyone else.
Lets stick with files and avoid talking about directories as things get a bit confusing there. Clearly read permission lets you look at the contents of a file, write permission lets you write to the file and execute permission tells the shell that the file can be run as a program.
As the people above mentioned, you can set permissions either with symbols:
$ chmod u+x foobar
or with octal. Now, as I mentioned, it's binary - each of the permissions is either set or not, if you want it set, then put in a 1 in the position and if you don't, but a zero.
Assume we want the file to be readable by everyone, and writeable by the owner (very common):
The perms would be:
Now, convert each of the sets of three from binary to Octal:
user = 110 = 6
group= 100 = 4
other = 100 = 4
So, the command to set this would be:
$ chmod 644 foobar
Now, to get to the umask. The default permissions are 777 for directories and 666 for files, both modified by the umask. The umask is not subtracted from the permissions, it "masks" them.
Here is an example. Lets assume I have my umask set to 022 (octal).
remember my default perms are 666 for a file which is represented as:
Just stick the umask in binary under this and move each bit on top to the result. The result is a one unless there is a one in the corresponding position in the umask, in which case, it's a zero.
So, as you can see, the result is 644....
Same thing applies to directories....
As for question #2, Can you tell me which ftp server you are running?
I run vsftpd and it has a config file /etc/vsftpd/vsftpd.conf
Most of the items in there are self explanatory but I had to add the following to mine:
Notice that the umask is set to 022... which will result in publicly readable files so that apache can serve them.
- 07-12-2010 #6
- Join Date
- Jul 2010
- Myrtle Beach, SC
question on this topic
I have been messing with the file permissions and i have an image upload directory set to owner:group -> apache:ftpusergroup with permissions of 750 and the directory is performing perfectly. Is this setup safe to run?
I heard somewhere that it is not favorable to have apache own files.. is this true? if so, why?
- 07-12-2010 #7
- Join Date
- Feb 2009
in order for apache to function, it must have ability to read/write to relevant files.
setting owner to apache is the best way, since the oposite is to set "others" to allow read/write, which in security perspective is unacceptable.
also, 750 means following permissions:
apache user/program - will have read/write/execute
ftpusergroup: - read / execute
others/world: - none
also, if you are running CentOS linux, it is wise to enable SElinux to have improved security.
Of course if this is a production system, and you have practiced SElinux before and know how to operate it.