More about Unix/Linux file permissions
How many times have you read or heard that the fix for a non-working program/web solution is to change the file permissions to 666 (allow user & group & others global read+write) or 777 (global read+write+execute)?
TOO MANY!
Sorry, had to shout a bit. It is distressing to read such suggestions/fixes – worse, the readers of such advice may actually use the suggestion… In our current Internet environment Linux users are becoming better informed but this non-fix keeps showing up. Hopefully, this post will provide some clarity for Unix/Linux users about how to use, set and manage Unix/Linux file permissions. Note that similar file restrictions come into play in Microsoft (and other) environments; my suggestions may not work for those environments but there should be some level of correlation.
The relevant items discussed below include:
- Unix/Linux Groups and Users
- Unix/Linux File and Directory Permissions
- Unix/Linux processes (running programs)
Each file or directory on a Unix/Linux system is owned by a user. The user may be a member of one or more groups. When listed (i.e. using the command ‘ls -l’), files and directories will show:
- the USER and the GROUP settings in effect at the time the file was created as well as the
- file permissions in place for the file
- along with the size of the file and the file name.
The output of the ls -l command shows a listing in columns; the columns show:
- file type and permissions (owner, group, others),
- number of links,
- owner of file,
- group ‘owner’ of file,
- size in bytes,
- time stamp (usually the most recent modification time), and
- the file name.
Three listing sets follow: A) directories, B) executable files and C) data or other files. The special designations of ‘d’ and ‘x’ are shown below (this post does not discuss other special file types – review the man page for the ls command for additional information.)
# ls -l
(A) directories/folders [start with 'd']
drwxrwxrwx 2 some_user some_group 4096 2009-07-21 11:55 sample_dir.1 [777]
drwxrwxr-x 2 some_user some_group 4096 2009-07-21 11:55 sample_dir.2 [775]
drwxr-xr-x 2 some_user some_group 4096 2009-07-21 11:55 sample_dir.3 [755]
drwxr-x--- 2 some_user some_group 4096 2009-07-21 11:55 sample_dir.4 [750]
drwx------ 2 some_user some_group 4096 2009-07-21 11:55 sample_dir.5 [700]
(B) executable files [contain an 'x']
-rwxrwxrwx 1 some_user some_group 66 2009-07-21 11:53 sample_file.1
-rwxrwxr-x 1 some_user some_group 66 2009-07-21 11:53 sample_file.2
-rwxr-xr-x 1 some_user some_group 66 2009-07-21 11:53 sample_file.3
-rwxr-x--- 1 some_user some_group 66 2009-07-21 11:53 sample_file.4
-rwx------ 1 some_user some_group 66 2009-07-21 11:53 sample_file.5
(C) data or other files [no 'd' or 'x']
-rw-rw-rw- 1 some_user some_group 66 2009-07-21 12:06 sample_data.1 [666]
-rw-rw-r-- 1 some_user some_group 66 2009-07-21 12:06 sample_data.2 [664]
-rw-r--r-- 1 some_user some_group 66 2009-07-21 12:06 sample_data.3 [644]
-rw-r----- 1 some_user some_group 66 2009-07-21 12:06 sample_data.4 [640]
-rw------- 1 some_user some_group 66 2009-07-21 12:06 sample_data.5 [600]
In the example above the OWNER is some_user and the group is some_group. The first five items are folders/directories (the long file listing starts with the letter ‘d’.) The next five items are executable files and the last five items are normal files (the long file listing starts with ‘-’.)
There are many scenarios for setting file and directory permissions, but in general you should set them to limit access. From the sets of files listed above the best file permission settings depend upon how your application works.
For a typical Apache process Apache will run as a specific, non-enhanced user and group (i.e. with limited access to system resources.) In most cases you should be able to run your Web application by selecting the User/Group RWX setting with ‘others’ limited to read access (-rw-rw-r– | as shown with listings above for sample_dir.2, sample_file.2 and sample_data.2.) The more restrictive User RWX settings with Group and ‘others set to R(ead) only (i.e. -rw-r–r–) is best (IMO); this may not work for your environment but -rw-rw-r– (664) for files and -rwx-rwx-r– (775) for directories should work.
To change file and directory permissions to the group permission approach discussed above you use the chmod command, i.e.
- chmod 775 some_folder [set to Owner/Group control with others having read/execute permission]
- chmod 664 some_file [set to Owner Read/Write with Group and Others having read-only permission]
Why not use Global RWX? (666, 777)
If you enjoy life on the edge then using such settings put your site(s) into the list of sites likely to be defaced or compromised in other ways. An instance where you might want to use a global access file setting would be to allow anonymous uploads or changes – I don’t suggest this approach. 
Here is a bit more about group permissions when using Wordpress (this approach should also work for other well-behaving programs.)
Related posts:
- Interview questions for SE/As (system engineers/administrators) – Unix/Linux I am presenting this post for reference by anyone who...
- Linux Backup Solutions I started this post a while back and settled on...
- Linux – X windows tips & tools A small set of short-cuts and tools for working with...
- Linux Bash scripting 101 (part a) There are a number of choices for the user shell...
- Linux firewall – iptables 101c GEO Blocking network access – blocking specific IP blocks (GEO-blocking...