CMS Made Simple Forums

Short question from a permission n00b.

I understand that 755 is the standard mode for folders because "execute" means it is possible to open them, so everyone is allowed to open.

Now for files the standard is 644 which means the file is publicly visible, not writable, not executable.

Two questions about what that means for php files:

1) If the file is publicly visible, does it mean that anyone can see the php code or does it only mean that anyone can see the results of the php code?

2) What would happen if the php file were made publicly executable (755)? What does "executable" mean in that regard?

Can anyone clear that up for me?

Thanks,
Cerno

755 means read write and execute for owner, read and execute for the group that that file belongs to, and read and execute for 'others'

644 means read,write for owner, read for the group that that file belongs to, and read for others.

Now.... with respect to php files..... it is my experience that most web processors 'read' the file into memory, and then interpret it, they don't execute it in it's own shell, Therefore there is no nead to give the execute bit to any php files.  hence the execute bit is meaningless when it comes to php files.

Now, it's your web server that knows when somebody is requesting  http://www.somedomain.com/something.php that it should throw the contents of that file through the php interpreter. 

I see. Thanks for the insight.

Just a last question about security.

When I set all my files in cmsms to 644 and all directories to 755 (with the exception of the files mentioned in the installation) is there any danger?

I'm asking because I nearly went insane after installing modules when I was unable to write to the modules folder due to the owner being wwwrun. I could change the owner to "myaccount" but then the site showed errors. So what I did first was to change the owner to myaccount, upload the files, change the owner back to wwwrun. A real pain. Then it dawned on me that I could leave all module files as "myaccount" if I changed all the file permissions to 644, they were 640 before.

Of course now, all files are publicly readable. Is that a problem?

'publicly readable' means 'readable by all users of that machine' (of which wwwrun is one).

That's the big lesson there..... wwwrun (in your case) is the user id that is running the webserver.  it can read the files that are marked as 644....  but that doesn't mean that everybody in the world can.... as they (probably, and lets hope they don't) have access to the machine.

Okay... so..... if you want to secure your permissions to 640 instead of 644 you have to make sure that your user account, and wwwrun are in the same (default.... we'll get to this later) group.  Otherwise, you have to rely on the 'other' permissions.

try 'id wwwrun'
and 'id myaccount'

to see if the 'gid's match.  if they match, you're golden.  if they don't.... well then you have to rely on the 'other' section.

calguy1000 wrote: 'publicly readable' means 'readable by all users of that machine' (of which wwwrun is one).

That's the big lesson there..... wwwrun (in your case) is the user id that is running the webserver.  it can read the files that are marked as 644....  but that doesn't mean that everybody in the world can.... as they (probably, and lets hope they don't) have access to the machine.

Uh, now I'm confused. What exactly do you mean by "access to the machine"? I thought publicly readable means explicitly "readable by everyone who uses a browser and types in the correct address to the file. Isn't that "access to the machine"? Or do you mean direct access to the server without the webserver interface? Where lies the definition to discern between "anyone is allowed to read a 644 text file" and "not anyone may read the code of a 644 .js script file" via a browser?

Okay... so..... if you want to secure your permissions to 640 instead of 644 you have to make sure that your user account, and wwwrun are in the same (default.... we'll get to this later) group.  Otherwise, you have to rely on the 'other' permissions.

try 'id wwwrun'
and 'id myaccount'

Since I don't have actual access to the server via command line I cannot use the id command, but my FTP tool shows me the user groups which are the same, so I'll try setting everything to 640. But again, security-wise, what is the exact difference there between 644 and 640 in terms of public access (via web browser)? Could you give an example?

Thanks a lot for the help!
Janbiel

Addendum: I have tried setting all files to 640 and as a result the website does not run correctly anymore, although wwwrun and my user name are inside the same group. I get the now probably famous error Failed opening required '/www/htdocs/w0089701/sandkasten/lib/misc.functions.php' (include_path='.:/usr/share/php:..') in /www/htdocs/w0089701/sandkasten/include.php on line 48.

But nevermind that. If you're sure that I don't open a mean security hole by setting all file permissions to 644, then I'll just leave it at that.

Could you answer my previous quesions anyway?

Much obliged!
Cerno