File permissions
From OCF Help
On UNIX filesystems, different files and directories have permissions that specify who and what can edit and read them. This is important because poorly set permissions can lead to loss of data and possibly your account getting compromised and disabled.
This page will go over the concepts you need to know to make an informed decision about what permissions you should set on your files.
Contents |
File and Directory Ownership
Every file and directory is associated with a user (the owner) and a group. For most files on the OCF, the default group is ocf.
NOTE: This document will assume that you are accessing your account via SSH. Most other programs that allow you to upload or download files from your OCF account provide a facility for editing file permissions; you may have to consult their documentation.
Using ls, let's look at the permissions for some sample files:
aoaks@flood:~$ ls -l total 16328 -rw------- 1 aoaks ocf 235830 2007-02-14 12:35 110bs07-rel.pdf -rw------- 1 aoaks ocf 8515935 2007-02-14 20:56 aoaks drwx------ 4 aoaks ocf 4 2007-01-27 19:40 class/ -r--r--r-- 1 aoaks ocf 20480 2006-11-03 22:22 Coursework.xls -rw-r--r-- 1 aoaks ocf 135 2007-02-13 12:48 data drwxr-xr-x 2 aoaks ocf 47 2007-02-20 01:47 decal/ drwxr-xr-x 2 aoaks ocf 27 2007-01-28 17:06 decalsle/ -rw------- 1 aoaks ocf 81227 2007-01-21 17:48 decal-sle.zip
The first, third, and fourth column are relevant to permissions. The first column shows the permissions that are set on the file, and the third and fourth columns specify the owner and group, respectively.
Permissions
Every file or folder in UNIX has a set of access permissions. There are three types of permissions that specify what you are allowed to do with a file or directory:
| Permission | For Files | For Directories |
|---|---|---|
| Read (r) | The file contents can be read | The directory listing can be obtained |
| Write (w) | The user or process can write to the file (change its contents) | The user or process can change directory contents, either by create new or delete existing files in the directory, or by rename files. |
| Execute (x) | The file can be executed | The user or process can access the directory |
These three permissions are independently defined for three types of users:
- the owner of the file (u)
- members of the group that the file belongs to (g)
- all users (o)
File Permissions
Looking at one of the sample files from above, we can see how the permissions are laid out:
-rw-r--r-- 1 aoaks ocf 135 2007-02-13 12:48 data
The first column contains a set of characters that specify the permissions on the file. The first character specifies type of file or directory, and the following 9 characters are make up 3 triplets, each specifying one of the three sets of permissions. The first triplet corresponds to owner permissions (u), the second triplet corresponds to group permissions (g), and the third triplet corresponds to other users permissions (o). If a permission is allowed, the r,w, or x will be displayed. If it is not allowed, a - (dash) will be displayed.
Looking at the example again, the three triplets are:
- rw- : owner can read the file and write to the file
- r-- : group members can read
- r-- : other users can read
This is the default set of permissions for regular files.
Directory Permissions
Now looking at a sample directory from above:
drwxr-xr-x 2 aoaks ocf 47 2007-02-20 01:47 decal/
- rwx : owner can access the directory, list the contents of the directory, and add/remove/rename files
- r-x : group members can access and list the contents of the directory
- r-x : other users can access and list the contents of the directory
This is the default set of permissions for directories.
You should notice that by default, write permission to files and directories is not granted to group members or other users. While there may be good reasons to allow such things on other setups, on OCF, you should never grant write permission to group or other users. If someone or some tutorial or installation instructions tell you to do this, you should stop and seriously consider why they are asking you to do it and if there may a better way to do things.
Changing Permissions
Only the owner of a file or directory can alter the permissions of a file or directory.
Using chmod
To modify permissions via SSH, use chmod:
chmod mode file-or-directory
The mode argument specifies the permissions using three digits that represent the permissions for the owner, group, and others. Permissions are set according to numbers.
- Read (r) is 4
- Write (w) is 2
- Execute (x) is 1
The sums of these numbers give combinations of these permissions:
- 0 = --- = no permissions whatsoever; this person cannot read, write, or execute the file
- 1 = --x = execute only
- 2 = -w- = write only
- 3 = -wx = write and execute (1+2)
- 4 = r-- = read only
- 5 = r-x = read and execute (4+1)
- 6 = rw- = read and write (4+2)
- 7 = rwx = read and write and execute (4+2+1)
For example, if you had some config file that you has sensitive passwords in it, you probably don't want other people reading it. You probably want to set it so that you (the owner) has read and write permission, but everybody else (the group members and other users) don't have any permissions. Looking at the table above, that means you want mode 6 for the owner, and mode 0 for the group members and other users. So your chmod command would look like:
chmod 600 config.php
Using Other Clients
If you are using an SFTP client, it will likely possess the ability to change file permissions through its interface. Since SFTP clients are typically graphical interfaces, they will usually have checkboxes for the individual permissions, making it easier to figure out what you actually want. The example below shows how you would change file permissions using WinSCP. Other clients should be similar.
Permissions and web applications
Changing permissions often comes up during the installation of many web applications. They will typically tell you to just "run this chmod command, and nevermind what it does". These are typically things like "chmod 777 somefiles" This should immediately throw up red flags for you. Do NOT grant write permission to group or other users!! I can't emphasize that enough. If some installation instructions are telling you to do this, there is probably a better way to do it on OCF servers. Ask an OCF staffmember in an e-mail or on irc if you aren't sure. It is a lot easier to ask and get the correct answer now than to find out you made the wrong choice later when your website gets hacked and disabled.
