If you have a website, and have different files doing different things, how should you chmod each file?
For example:
A CSS file which controls the layout of the HTML home page. How should I chmod that?
A JS file with functions that give interactivity to the website. How should I chmod that?
And a PHP file which communicates and changes the website's content from the server. How should I chmod that?
I understand how the chmod function works, but I don't understand what files you should chmod in what way. HELP! :D
You should give 750 to PHP file.
For CSS and JS file 644 would be sufficient.
All directories should have 755 permission and all files(php, js, html) should have 644 permission.
As long as the webserver (and all other relevant processes) can access and modify everything it needs to in order to function, you're fine. It needs to be able to read all files it tries to access, and write into directories that it wants to upload files.
I use comprehensive ACLs in order to manage that logically on shared hardware.
$ man setfacl
Unless you have a reason not to (such as multiple users editing files, or you are using webserver-generated directory listings), I always use 711 permissions on all directories. Apache is quite happy with this.
This stops local users from seeing what files you have in there (such as, say, notes, info or config files), and can offer some protection if other settings are misconfigured (+Indexes is turned on, say) or if you don't have the ability to change such settings.
Also, this setting follows the principle of setting minimum required access. (Your mileage may vary on some web apps which need directories to be explicitly readable, but I haven't come across this.)
Related
I have some php scripts that need to move, create and delete files and folders. Unless I CHMOD the folders to 777 the php scripts die with errors about permissions. CHMOD'ing the folders to 777 fixes the problem, but after a lot of reading I'm still confused as to whether it's OK to do or not.
I've read that it can be dangerous on shared hosting, but my question is, is it safe to do on a VPS?
VPS or not it does not really matter. Chmod 777 means you are giving anyone (any user, incl. system daemons) all permissions possible (which includes read, write and execute) to given file or directory. if you are the only user on the machine, then it reduces the risk (still, if anyone break in, then he would still be able to mess using hacked daemon's user id). Additionally, if there're other user accounts on that VPS, setting 777 lets them put their content into files with said permission (or launch them). Will they do that - who knows. They might, just because they can due to 777. In general, rule of the thumb should be give as much permissions as really needed, and nothing beyond that.
Im using Capistrano to deploy my PHP project which is going great (other than the fact that its uploading to current/ and i want to go to / but ill figure that out later), but i need some advice as to where i can securely put my config.php file (contains all the mysql connect info) so that it wont be subject to hackers.
Any know any good methods or links?
Every file will be subjected to hackers if they hack the system... The file location isn't critical, but you can put it above public_html in order to prevent clients accessing it directly. Ironically, even if you put it there - the details can leak to the client due to bad PHP configuration (if having inappropriate error level)
Do you use an .htaccess file?
Assuming you're using apache, you can also chown the file to your apache user and chmod it to 600.
I ended up just putting in a directory and added an include .conf file to apache configuration that block access to that directory.
I'm trying to debug a strange file permission issue involving php, and have exhausted the obvious problems. Note that I'm not experienced with php, so it might be something dead-obvious.
I want the user to be able to create a folder and files via a web interface, and to be able to work with those files from a separate user account on the server for some backend work. The problem is that the created folders and files have no write or execute permissions for other users.
I don't have a lot of knowledge in this area, so my best hacky try was to see if explicitly passing 0777, even though it's the default, to the relevant mkdir fixed it. And also to every other mkdir call. And every chmod call.
As far as I can tell, the folder and files SHOULD be created with the right permissions. Does anyone know reasons the permissions might differ from what I naively expect?
if this is UNIX you need to check the UMASK for the web server user, if this is windows, it ignores the permissions.
http://us.php.net/umask
I need a directory with 777 permissions in my webserver; anyway, I would like to protect it by placing it outside the public_html directory. Is this safe enough? A php script will be able to access that directory?
Thank you for your help.
—Albe
So long as your php scripts are sufficiently secure from users trying to break them with SQL injection (amongst others), placing the directory outside the web root is definitely safe to prevent others directly accessing the contents. And yes, php can still access the files, if given an appropriate path to that directory.
yes, the other php scripts can still access that directory, but it will not be reachable over the web.
set the correct owner/group as well,
if you set it to be the owner of the php process a 700 should be working just as well.
David's way is the easiest, but you could also try;
placing a .htacces file in your folder
changing the permissions to 700 (or 750, if you have to be able to edit it with the group)
starting filenames in the directory with a dot (though this is easy to screw up, so you may want to avoid it)
If David's way works, I'd prefer that, but in case you have some weird extra restrictions, these ways MAY work.
I am using SVN to manage a copy of my web site. The site runs a typo3 installation, which uses PHP to create the backend.
The problem is, all the stupid .SVN folders show up in the directory listing of PHP. I DO NOT mean the build in apache listing. I mean a directoy listing created by the PHP backend.
So, is there any way to hide special directories from PHP?
[NOTE]
Changing the PHP source code is not an option. Typo3 is too big, and each extensions uses its own code. Would be much more effort than an SVN export script.
Chris
PS: I do not want to setup a svn export --> web_root just to get rid of the files. And I know that I can prevent apache from serving the .SVN directories, I did that. But they still show up in the backend, when browsing the directory tree (which is created by PHP). And they are very annoying...
This is difficult, since you will have to change behavior of something somewhere between the filesystem and Typo3. You have:
Filesystem → Operating System → PHP → Typo3
The files must stay in the filesystem and must stay visible by the operating system, so you can use SVN. Changing Typo3 is not an option for you, and changing PHP has many other major undesirable consequences that you should avoid. So, what you have left is to insert something in between OS→PHP or PHP→Typo3.
The first case is actually possible, depending on what operating system you use, and if you have administrator (root) access. FUSE is part of the Linux kernel, and is also available for many other operating systems. Then, with fuse, you may install a filter like rofs-filtered, that allows you to filter which files and directories are visible in a mounted volume. You use it to create a filesystem that mirrors your SVN checkout directory, filtering the .svn directories.
So, is there any way to hide special directories from PHP?
No.
As long as the user PHP is run under has read access to the directory it will always produce all the files/directories in that directory. There is no way to hide files from certain processes, were this possible writing a root kit to hide from ls and other file system tools would be a lot easier.
The option you would want/need is a way to define files that Typo3 ignores, and have it be system wide and thus used by the extensions as well. You have specified however that you do not want to change the source code, and do not want to do svn export.
You are thus stuck with the .svn directories.
The short answer is "Not easily, simply, or sanely".
Run the website from an export of SVN, not a checkout, instead.
Try this.
<locationmatch "/.svn/">
order allow,deny
deny from all
</locationmatch>
Btw in your loop in PHP you can do a logic check to see if the filename is not ".svn", usually PHP directory tools do that to exclude "." and ".." directories.
The problem is, all the stupid .SVN
folders show up in the directory
listing of PHP. I DO NOT mean the
build in apache listing. I mean a
directoy listing created by the PHP
backend.
What application is doing the directory listing? Have you considered looking into the code of the PHP backend and adding something to prevent the display of the .svn directories?
Just find or write a very simple application that will synchronize your current directory with a new directory that will be exposed to the Web. You could have a service that watches for changes or use something like an rsync with exclusions or what have you. This would be much simpler since, based on another question, you are on Windows.
ther's an extension called np_subversion which will take care of fileadmin changes via subversion. As a nice plus it will hide folders for you
I do not want to setup a svn export --> web_root just to get rid of the files
Are you sure? That’s how SVN is designed: you check code out of SVN to work on it, and export code from SVN to deploy it. If you don’t like that, then SVN probably isn’t the right choice. As gahooa said, maybe switch to Git?
It’s a bit like saying “I want to save my Word document, but I don’t want this stupid .doc file showing up on my computer.” That’s just how the software works.
Sara Golemon's Runkit can do this. You can remap functions like glob(). However, I am not sure if it's a good idea to run it in a production server.
If you don't need the .svn folders, you can just delete them.
find ./ -name ".svn" | xargs rm -f *.svn