I would like to know what is the best, correct and recommended way of doing chown and chmod to website files and folders.
I recently started working on linux and I have been doing it in the site root directory like the following:
sudo chown www-data:www-data -R ./
sudo chmod 775 -R ./
I know it is not the best way. There is a protected folder which should not be accessible with browsers and should not be writable, so I did the following to protected folder:
sudo chown root:root -R protected/
sudo chmod 755 -R protected/
Is it correct? If anything can be improved please let me know.
Read your command again. What you are saying is "make everything executable" below these directories. Does an HTML or gif to be executable? I don't think so.
Regarding a directory which should not be writable by the webserver. Think of what you want to do. You want to revoke the right to write a directory from the webserver and the webserver group (and everybody else anyway). So it would translate to chmod -w theDir. What you did is to tell the system "I want root to make changes to that directory which shall be readable by everybody and the root group". I highly doubt that.
So I would suggest having the directory owned by a webserver user with only minimal read access, it should belong to a group (of users, that is) which is allowed to do the necessary of the modification. The webserver does not belong to that group, as you want the outside world to be prevented from making modifications. Another option would be to hand over all the directories to root and to the editor group and modify what the webserver can do via the "others" permission group. But what to use heavily depends on your environment.
Edit:
In general, the "least rights" policy is considered good practice: give away as few rights as possible to get the job done. This means read access to static files and depending on your environment php files, read and execute rights for cgi executables and read and execute rights for directories. Execute rights for directories allow you to enter and read it. No directory in the document root should be writable by the webserver ever. It is a security risk, even though some developers of bigger CMS do not seem to care to much about that. For temporary folders I would set the user and groups to nobody:nogroup and set the sticky bit for both user and groups.
Related
I need some help about permissions on Linux. I know having world writable file can be dangerous and many people recommend to not have world writable file.
In order to "protect" my Linux, i searched for every world writable file using find / -perm -0002 -type f. Thanks to this command, I found a world writable file under my /root/a_directory/. As my /root directory is 700, other user cant edit the world writable file.
So my question is, what is the risk if I have world writable file under a directory which can't be access by other users ?
Am i safe if /directory1/world_writable_file.sh is 777 and /directory1/ is 700. Is there no risk with this situation ?
Directory permissions behave quite differently from file permissions.
Since the directory doesn't allow other (non-root and non-group) users any operation (read/write/execute) on the directory, they can't even enumerate the files inside this directory, so they sure can't access them.
Here is a practical example:
user#host$ sudo su
root#host$ mkdir testdir
root#host$ printf '#!/bin/bash\necho test" > testdir/testfile
root#host$ chmod 0777 testdir/testfile
root#host$ chmod 0700 testdir
root#host$ exit
user#host$ ./testdir/testfile
-bash: ./testdir/testfile: Permission denied
user#host$ ls testdir
ls: cannot open directory 'testdir': Permission denied
However, this is NOT a good practice in handling sensitive files.
It is very easy to misconfigure file permissions, so you should never rely on having a secure directory.
If someone accidentally changes the directory's permission to 0701 (others can execute), which seems like a fairly negligible change, everyone will be able to execute, read and write any file with 0777 permissions if they know its exact path.
Moreover, the scenario you described can happen only if:
A. The permissions on the directory are changed after the files are already there. In this case, you should simply use chmod -R o-rwx to remove permissions for other users.
B. The directory owner created the file after the directory was already configured, and then added permissions using chmod o+wx or something similar. Since new files created in a directory with 0700 permissions mask, have a default mask of 0644, and the only user that can access the directory is the owner, there is no other way. In this case, simply refrain from doing so.
Anyway, if you are interested in reading and understanding more about UIDs in Unix systems in general and Linux in specific, I wrote a comprehensive guide on the subject.
I am supposed to give write/edit permission to my directory in /var/lib/mysql/dbname via Linux.
I am unaware of backend UI and i know i just enetered the text "sudu so" # centos machine which displays :
[root#ip-10-0-0-61 centos]#
Can anyone tell how to proceed further as I have always been using WinScp which restricts me to write database files due to present set permissions.
Any user interface file manager that could do this would be really helpful too.
Thanks in advance
You can change files/folders permission with the chmod command. There's a man page here. The full command line to type depends on which permission you exactly need. A basic usage of the command is
chmod [ugoa][+-=][rwx] file
Where
[ugoa] allow you to choose whose permission you want to modify: the owner of the file (u), users member of the group of the file (g), any other users (o) and all users (a)
[+-=] allow you to tell the command if you want to add (+) the selected permissions, remove them (-) or set them as the only permissions of the file(=).
[rwx] allow you to choose the permission : read (r), write (w) or execute (x). There exist other type of permissions explained in the man.
To change the permission of a folder recursively, you can add the option -R to the command.
Very simple just execute the command
chmod 777 -R ./
This will do the trick for you.
There are two things to look at, setting permissions, and ownership.
To do this for an entire directory (be careful with this)
chmod -R {permissions} {directory}
If you're unsure what permissions to use check this guide
To set ownership, use
chown {user:group} {directory} -R
Again be careful with these settings. It's not often you'll want an entire directory full of files to all have the same permissions, and you could be opening yourself up to risks if you do so. Always be explicit and give each file the minimum permissions needed to get the job done.
Is it possible to have a bash script invoked with root permissions to run different commands with different privileges?
Right now i have a script which runs a C-program with root permissions and creates a folder and some files which i want to have non-root permissions. Looking at the man page i see that the mkdir command takes a permissions parameter but i was wondering whether there's a smarter way of doing this.
Have a look at the man pages for the chmod and chown commands. Depending on what you are trying to do, either one of these should be our solution.
If you want to change the directory ownership to a user/group other than root, use chown -R user:group [directory] to recursively change ownership. If you just want the permissions changed, but with root still in ownership then use chmod -R 754 [directory]; keep in mind you will need to alter the permissions to suit your needs.
When cding into one of my directories called openfire the following error is returned:
bash: cd: openfire: Permission denied
Is there any way around this?
#user812954's answer was quite helpful, except I had to do this this in two steps:
sudo su
cd directory
Then, to exit out of "super user" mode, just type exit.
Enter super user mode, and cd into the directory that you are not permissioned to go into. Sudo requires administrator password.
sudo su
cd directory
If it is a directory you own, grant yourself access to it:
chmod u+rx,go-w openfire
That grants you permission to use the directory and the files in it (x) and to list the files that are in it (r); it also denies group and others write permission on the directory, which is usually correct (though sometimes you may want to allow group to create files in your directory - but consider using the sticky bit on the directory if you do).
If it is someone else's directory, you'll probably need some help from the owner to change the permissions so that you can access it (or you'll need help from root to change the permissions for you).
chmod +x openfire worked for me. It adds execution permission to the openfire folder.
Alternatively, you can do:
sudo -s
cd directory
You've got several options:
Use a different user account, one with execute permissions on that directory.
Change the permissions on the directory to allow your user account execute permissions.
Either use chmod(1) to change the permissions or
Use the setfacl(1) command to add an access control list entry for your user account. (This also requires mounting the filesystem with the acl option; see mount(8) and fstab(5) for details on the mount parameter.)
It's impossible to suggest the correct approach without knowing more about the problem; why are the directory permissions set the way they are? Why do you need access to that directory?
I know this post is old, but what i had to do in the case of the above answers on Linux machine was:
sudo chmod +x directory
Unless you have sudo permissions to change it or its in your own usergroup/account you will not be able to get into it.
Check out man chmod in the terminal for more information about changing permissions of a directory.
I have been reading about Security of Design. I noticed a tip of lowest permission level. So I did the above code to my junk files. Unfortunately, the junk-folder seemed to contain some server files. A few sites become forbidden. The folder contained stuff such as "Mail", "dev" and "Public". The reason for junking them was that they are empty.
The files are located in a server of a CS-dept. There is no special CMS or anything like that. Before running 'chmod 644 some_files', I am promth to ask your opinion.
Why did the sites become forbidden? What are the lowest permission levels?
Lowest possible permission level is of course 000. But that wouldn't make much sense.
600 rw------- for private files
700 rwx------ for private directories
711 rwx--x--x for directories with public files, but without permission to list dir
644 rw-r--r-- for publicly readable files
755 rwxr-xr-x for publicly readable dirs
The web server usually runs as a different userid from "real" users. So you make it so that a "real" users files aren't readable by anybody else, and the web server can't read them. That's why 744 is a better permission set for files the web server needs to see.
Most likely the owner of the folders that are forbidden is another than the ones that are available. The user that runs the file or it's group must have read (and sometimes executable) permissions on the files/folder. Since you removed the read, write and executable privileges on the group and the world no one but the owner of the files will be able to run them.
TLDR:
Wrong owner of file/folder. chown to correct user.
Your problem: your user account does not have execute permissions for the rest of the world.
Solution:
You need to put the permissions 701 for your user folder. You can also set them to 711.
It is the folder which contains your public_html etc.
Then, check that your public_html has the permissions 755. Similarly, the contents should also be 755 in public_html.