Permissions problems on Linux server
In the PHP world there are several ways to "rotate" a website, most of them are using a web server known as Apache or Nginx, when handling files, sometimes permissions problems occur that are not very clear, I will try to demystify some of them and show what this implies in terms of security.
Server type
It is common to see the use of shared hosting for systems / systems in PHP, we must be aware because this type of hosting is usually very vulnerable if the user does not take the necessary precautions.
There are also VPS / Devices where a Linux insulated drive runs insulated, thus giving the system / site a higher level of security.
1) Basic concept of permissions:
In Linux, there is a system of file and folder permissions designed to deliver a secure environment shared by more than one user, roughly in numerical representation mode, are 3 bits
which indicates by whom the file can be accessed, see an example:
765 arquivo1.txt
644 arquivo2.txt
The first digit shows us the owner permission, the second, the group permission and the third one, the general permission (other users).
In the first example, we have:
7 -> Dono tem permissão 7 (ler, gravar e executar)
6 -> Grupo tem permissão 6 (ler, gravar) porem não pode executar como o dono
5 -> Outros usuários tem permissão 5 (ler e executar) porem não podem alterar o conteúdo.
This is a superficial explanation and may contain errors, understand better by reading this link .
2) Running a web server on Linux
The web server does not run as root
, ie it does not have global permissions on the system, in a default installation, there is a dedicated user, usually called www-data
, and a dedicated group with the same name. / p>
When a page is requested, it is the user who reads, interprets and runs any command that the script requests.
If the folder / files of the site / system belong to the user
www-data
then the permission 700 is sufficient to read, write and execute, since the owner has full access (7) and the other users have no access.
If the user owns the folder / project files is not the same as the user on which the web server runs, we have to add permission on the second and third "bit"
Let's say that there is a user named foo
, and it belongs to the group www-data
, the site folder looks like foo, with www-date group
then we would have to give 770 permission, so all members of the group have full access to the system / files.
Why does 777 work, anyway?
By giving chmod 777 you expose your files to any user of
system, then on a shared hosting, any other user
you will be able to read your files, modify the content and even make a
'include' via script.
Conclusions
- If you use shared hosting, 777 is an error you can never comment on.
- If you use a dedicated / VPS server, you should configure your files and folders to be owned by the same user on which the web server runs, in debian / ubuntu that user is www-data, but the same can be custom / vary in other distributions
To change the owner of a folder and all internal files / folders (recursively):
chown -R user: group my_pasta_www
In the default case,
chown -R www-data: www-data my_pasta_www
In short, 777 never!