File permissions
From OCFwiki
On UNIX filesystems, different files and directories have permissions that specify who and what can edit and read them. This is important because poorly set permissions can lead to loss of data and possibly your account getting compromised and disabled.
This page will go over the concepts you need to know to make an informed decision about what permissions you should set on your files.
Contents |
Users
Every user on the UNIX system is associated with a specific user account that keeps track of certain settings specific to the user. These are things like the location of your home directory, your default shell. You may notice that some users, like apache seem like odd choices for a person’s user name. These are referred to as system user accounts. These accounts are used by certain system processes for access control. For example, the apache user account is used by the webserver.
For most of this page, I will use my own username 'aoaks', but you can substitute this with your username if it helps you understand the concepts that are being explained.
Groups
Every user in the UNIX system is associated with a collection of groups. These groups allow permissions to be set that effective for anybody that is a member of that group. For example, a set of users could collaborate on a file by allowing read and write access on that file to anybody who is a member of a certain group. This can have its advantages, but for security reasons, OCF users are all members of the same group "ocf", and no other group.
Ownership
Every file on the system is associated with a specific user (the owner) and a specific group (ocf). Lets look at some sample files:
aoaks@flood:~$ ls -l | head total 16328 -rw------- 1 aoaks ocf 235830 2007-02-14 12:35 110bs07-rel.pdf -rw------- 1 aoaks ocf 8515935 2007-02-14 20:56 aoaks drwx------ 4 aoaks ocf 4 2007-01-27 19:40 class/ -r--r--r-- 1 aoaks ocf 20480 2006-11-03 22:22 Coursework.xls -rw-r--r-- 1 aoaks ocf 135 2007-02-13 12:48 data drwxr-xr-x 2 aoaks ocf 47 2007-02-20 01:47 decal/ drwxr-xr-x 2 aoaks ocf 27 2007-01-28 17:06 decalsle/ -rw------- 1 aoaks ocf 81227 2007-01-21 17:48 decal-sle.zip
Among other output, the first, third, and fourth column are most relevant to permissions. The third and fourth columns specify the files owner and group respectively. The first column shows the permissions that are set on the file.
This means that for any file or folder in the system, a user that attempts to access it may fall into one of three relationships:
- the user is the owner of the file
- the user is a member of the group associated with the file
- the user is neither the owner nor a member of the group associated with the file
The implications of these relationships is explained in the following section.
Permissions
Every file or folder in UNIX has a set of access permissions. There are three types of permissions (what you are allowed to do with a file):
- read access
- write access
- execute access
These permissions mean slightly different things for files and directories:
| Access type | File | Folder |
|---|---|---|
| Read (r) | The file contents can be read | The directory listing can be obtained |
| Write (w) | The user or process can write to the file (change its contents) | The user or process can change directory contents, either by create new or delete existing files in the directory, or by rename files. |
| Execute (x) | The file can be executed | The user or process can access the directory |
These three permissions are defined for three types of users:
- the owner of the file (u)
- members of the group that the file belongs to (g)
- all users (o)
Looking at one of the sample files from above, we can see how the permissions are laid out:
-rw-r--r-- 1 aoaks ocf 135 2007-02-13 12:48 data
You want to look at the first column, that consists of 10 characters. These characters specify the permisions on the file. Ignoring the first character which specifies what type of file it is (file, directory, special, etc.), the following 9 characters make up 3 triplets, each specifying one of the three sets of permissions. The first triplet corresponds to owner permissions (u), the second triplet corresponds to group permissions (g), and the third triplet corresponds to other users permissions (o). If a permission is allowed, the r,w, or x will be displayed. If it is not allowed, a - (dash) will be displayed.
Looking at the example again, the three triplets are:
- rw- : owner can read the file and write to the file
- r-- : group members can read
- r-- : other users can read
This is the default set of permissions for regular files.
Now looking at a sample directory from above:
drwxr-xr-x 2 aoaks ocf 47 2007-02-20 01:47 decal/
- rwx : owner can access the directory, list the contents of the directory, and add/remove/rename files
- r-x : group members can access and list the contents of the directory
- r-x : other users can access and list the contents of the directory
This is the default set of permissions for directories.
You should notice that by default, write permission to files and directories is not granted to group members or other users. While there may be good reasons to allow such things on other setups, on OCF, you should never grant write permission to group or other users. If someone or some tutorial or installation instructions tell you to do this, you should stop and seriously consider why they are asking you to do it and if there may a better way to do things.
Changing Permissions
To set/modify a file's permissions you typically use the chmod program on the command line. Of course, only the owner of a file can alter a file's permissions.
chmod has the following syntax: chmod [options] mode file(s)
The mode argument is where you specify the permissions the file should have. The mode is given by 3 decimal digits that represent the permissions for the owner, group, and other permissions respectively.
Permissions are set according to numbers.
- Read (r) is 4
- Write (w) is 2
- Execute (x) is 1
The sums of these numbers give combinations of these permissions:
- 0 = --- = no permissions whatsoever; this person cannot read, write, or execute the file
- 1 = --x = execute only
- 2 = -w- = write only
- 3 = -wx = write and execute (1+2)
- 4 = r-- = read only
- 5 = r-x = read and execute (4+1)
- 6 = rw- = read and write (4+2)
- 7 = rwx = read and write and execute (4+2+1)
For example, if you had some config file that you has sensitive passwords in it, you probably don't want other people reading it. You probably want to set it so that you (the owner) has read and write permission, but everybody else (the group members and other users) don't have any permissions. Looking at the table above, that means you want mode 6 for the owner, and mode 0 for the group members and other users. So your chmod command would look like:
chmod 600 config.php
Note that chmod is not the only way to change file permissions. If you are using an SFTP client, it will likely possess the ability to change file permissions through part of its interface. Since SFTP clients are typically graphical interfaces, they will usually have checkboxes for the individual permissions, making it easier to figure out what you actually want. The example below shows how you would change file permissions using WinSCP. Other clients should be similar.
Permissions and web applications
Changing permissions often comes up during the installation of many web applications. They will typically tell you to just "run this chmod command, and nevermind what it does". These are typically things like "chmod 777 somefiles" This should immediately throw up red flags for you. Do NOT grant write permission to group or other users!! I can't emphasize that enough. If some installation instructions are telling you to do this, there is probably a better way to do it on OCF servers. Ask an OCF staffmember in an e-mail or on irc if you aren't sure. It is a lot easier to ask and get the correct answer now than to find out you made the wrong choice later when your website gets hacked and disabled.
