Find the answer to your Linux question:
Results 1 to 7 of 7
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Please Help Me Understand File Permissions

    My friend and I built a server and run it out of the data center he works in. Its more for fun than anything else since all the websites we run get virtually no traffic. So while security for us isn't a huge thing, I still want to learn more about it so we don't have problems in the future. We are running the latest Ubuntu.

    One of the problems we have consistently had is the file permissions. When I upload new files via FTP, the default permission setting is 600. Then I have to manually change the permissions to 775 or 777 to be able to view the files in the browser.

    Question 1:
    I know setting them to 777 is not the correct setting, so what should I be setting them at? Should different types of files have different settings?

    Question 2:
    How do I change the server so that the correct file permissions as assigned by default? Someone told me to change the umask settings, but that doesn't seem to do anything for files created via FTP.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    1) one approach would be to set the owner to the apache user and the group to the ftp group.
    The general permissions would be
    - 460 for files
    - and 570 for directories

    You need write for ftp, but in general apache only reads.
    And you have these two services separated, which is also good from a security point of view.

    There might be directories, that apache needs to write to.
    For example, if php/perl/cgi/etc is used to generate files or uploads are done or webdav is used.
    For these purposes the target directories -not the ones with the .php/etc files - should get 770.

    2) probably the umask is not set or set to strict for the environment your ftp daemon is started in.
    Which can (and should) be quite different to a regular user environment.

    Some ftp daemons offer control over user/group/permissions/umask in their config files.

    You might also consider dropping ftp altogether.
    Imho, it is an deprecated protocol, that just survived, because everyone is using it.
    It can be replaced with sftp or webdav
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    May 2005
    Palmdale, Ca

    Permissions 101

    Google "unix permissions' and have a learning experience.

    This stuff is best done in a terminal with such old-school stuff as ls -a and ls -l and the always hated man pages. With chmod and chown, you can either screw yourself, or everyone else.

  4. $spacer_open
  5. #4
    Changing Permissions - Symbolic

    ● To change access modes:
    chmod [-R] mode file
    ● Where mode is:
    u,g or o for user, group and other
    + or - for grant or deny
    r, w or x for read, write and execute
    ● Examples:
    ugo+r: Grant read access to all
    o-wx: Deny write and execute to others
    ex: chmod +x file1 - will make file executable

    Changing Permissions - Numeric

    ● Uses a three-digit mode number
    first digit specifies owner's permissions
    second digit specifies group permissions
    third digit represents others' permissions
    ● Permissions are calculated by adding:
    4 (for read)
    2 (for write)
    1 (for execute)
    ● Example:
    chmod 640 myfile

    *when setting executable permission, remeber to include "read" as well as "execute" permission on file.
    ex: chmod 755 myfile
    where 5 = 4 + 1

    Changing File Ownership
    ● Only root can change a file's owner
    ● Only root or the owner can change a file's
    ● Ownership is changed with chown:
    chown [-R] user_name file|directory
    ● Group-Ownership is changed with chgrp:
    chgrp [-R] group_name file|directory

    ex: chown apache:apache /mydir/myfile
    * first apache is for user, and second apache is for group.

  6. #5
    Just Joined!
    Join Date
    Dec 2009
    Ok, as for unix permissions, I've found the easiest way to remember this is using binary.... There are 12 different bits each representing a different permission on the file or directory. They are


    The first three are setuid, setgid and sticky bit - I can explain these if you want, but they are irrelevant to the ftp discussion (except perhaps setgid on directories in your ftp directory structure).

    So that leaves us with 9 different permissions:
    rwxrwxrwx which are divided into three groups - the first for the owner of the file, the second for users who are part of the group associated with the file and the third for everyone else.
    Lets stick with files and avoid talking about directories as things get a bit confusing there. Clearly read permission lets you look at the contents of a file, write permission lets you write to the file and execute permission tells the shell that the file can be run as a program.

    As the people above mentioned, you can set permissions either with symbols:
    $ chmod u+x foobar

    or with octal. Now, as I mentioned, it's binary - each of the permissions is either set or not, if you want it set, then put in a 1 in the position and if you don't, but a zero.

    Assume we want the file to be readable by everyone, and writeable by the owner (very common):

    The perms would be:
    Now, convert each of the sets of three from binary to Octal:
    user = 110 = 6
    group= 100 = 4
    other = 100 = 4
    So, the command to set this would be:
    $ chmod 644 foobar

    Now, to get to the umask. The default permissions are 777 for directories and 666 for files, both modified by the umask. The umask is not subtracted from the permissions, it "masks" them.

    Here is an example. Lets assume I have my umask set to 022 (octal).

    remember my default perms are 666 for a file which is represented as:

    Just stick the umask in binary under this and move each bit on top to the result. The result is a one unless there is a one in the corresponding position in the umask, in which case, it's a zero.


    So, as you can see, the result is 644....

    Same thing applies to directories....

    As for question #2, Can you tell me which ftp server you are running?

    I run vsftpd and it has a config file /etc/vsftpd/vsftpd.conf

    Most of the items in there are self explanatory but I had to add the following to mine:

    Notice that the umask is set to 022... which will result in publicly readable files so that apache can serve them.

  7. #6
    Just Joined!
    Join Date
    Jul 2010
    Myrtle Beach, SC

    question on this topic

    Apache 2.0

    I have been messing with the file permissions and i have an image upload directory set to owner:group -> apache:ftpusergroup with permissions of 750 and the directory is performing perfectly. Is this setup safe to run?

    I heard somewhere that it is not favorable to have apache own files.. is this true? if so, why?

  8. #7
    hi BizLab

    in order for apache to function, it must have ability to read/write to relevant files.
    setting owner to apache is the best way, since the oposite is to set "others" to allow read/write, which in security perspective is unacceptable.

    also, 750 means following permissions:

    apache user/program - will have read/write/execute
    ftpusergroup: - read / execute
    others/world: - none

    also, if you are running CentOS linux, it is wise to enable SElinux to have improved security.
    Of course if this is a production system, and you have practiced SElinux before and know how to operate it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts