Apache CHMOD default permissions? 1

[Hondy]

Hi

I need to make sure my public Apache document root has the correct permissions. Its a straight forward PHP brochure site webserver with a couple of submission forms.

From DocumentRoot what should the default permissions be on the root directory, subdirectory and files?

examples, would all these me a uniformed 755 for normal access? or do you specifically set some, are all internet users going to be "o" (others) and do they need execute or just read?

Currently the owner is root which has (rwx), the group is an internal admin group with 2 members which has (rwx) and the other currently has (r_x), these permissions are linear from the document root.

\
\index.php
\.htaccess
\subdir1\
\subdir1\index2.php
\subdir1\form1.php

So before I put it on the internet, is there a standard way to assign the permissions to stop internet users being able to do things they shouldn't be able to?

Cheers

ex-IIS person

 

[IPGuru]

I suspect the securest options are as follows

Owner: <admin user> //usere resposible for uploading pages - not root
Group: apache //the apache group some distros use nobody

permissions 750

this alows the administrator to change pages/ apache to read them but blocks access from anyone else

I am sure the experts hre will have some suggestions as well

 

[Hondy]

ah I see, so you are given "others" no-access, and the public access is via an "apache_group" or somesuch name but ultimately the apache group has r_x?

Is my way wrong then using "others" for the access? I wanted to have a group of people that could modify the files rather than just the owner, is that the wrong way to do it?

 

[RhythmAce]

The standard is for directories to be set at 755 and files to 644. Mind you, these are system permissions and have nothing to do with website vistors. The system sees these files being accessed by user apache. So if ownership of those files and directories is user joe and group joe, then apache can only do what is allowed by the value set for 'others'. You can use php and mysql to create a user database that way you can use cookies, sessions and authentication to control access to a particular area. It is never a good idea to allow a script of any kind to share the same permissions at the system level as 'owner'. Specify a directory and set permissions for those files and sub-directoies only.

 

[Hondy]

ok, but assuming all internet users have the same permissions, is "others" the correct level to use assuming that User + Group are known users on the internal network.

Is "others" in Linux the same as "everyone" in Windows?, and what is it that defines the webs users username?

Cheers

 

[RhythmAce]

The system (linux) is unaware of the users coming to any particular website. It only has information provided in the header such as user agent and ip address. Other information is gleened from this. For example, the language you prefer or your location. That is how ads can be displayed on websites aimed at your particular location like "Meet single girls in Pondunk". The information that is not there is that telling if the visitor is a system user. You may already know most of this but based on your question it seems there is a little confusion about chmod and file permissions. These are not to be confused with apache's permissions. They are unrelated and have nothing to do with each other. There are no files, programs or scripts of any kind on a unix/linux system that don't need permission saying who can do what and where they can do it. Let's say your system has a user hondy. This user is automatically assigned to the group hondy when the account is created with the home directory /home/hondy. All files in that directory and its sub-directoies are owned by user hondy and group hondy. Le't say you want a few people to have more than the standard read-only permissions. You would add them to the group hondy and set the group bit for a file or directory to whatever permissions you want them to have. To set the permissions, you use chmod. There are three basic permissions, read, write and execute. You can take away or give permissions using the +r-x stuff but I find it easier using numbers. For example, read has a value of 4. Write has a value of 2 and execute has a value of 1. Now you simply add the values of the permissions you want. I'll try to make a table to show you how that works.


| | Owner | Group | world |
| Read | X | X | X |
| write | X | | |
| Execute| X | X | X |
----------------------------------
| | 7 | 5 | 5 |

This gives all permission to owner but only read and execute to both group and world (other). If you wanted group to be able to also write to the file, you would change it to 775. A quick note about the execute bit. This is for shell scripts and binaries. If you set the execute bit on a standard text file, you could get some errors. Apache does not execute html or php scripts. These are client side which means it's all handled on the browser end. This means apache only has to be able to read them. Cgi scripts are different however. Apache needs to know which files to parse as scripts. The easiest what is to put all your scrips in the cgi-bin directory. There is a ScriptAlias directive in httpd.conf that tells apache to parse everything in that directory as a script and pretend (the Alias part) that /cgi-bin is off the DocumentRoot. If you must use a script outside of the /cgi-bin, then you would use the ExecCGI directive in that directories directory container. I hope I didn't had to the confusion but if you can be more specific on what exactly you want to do, I'm sure there is an easy way to go about it.

 

[Hondy]

Hi rhythmace, that kinda reinforces what I thought regards CHMOD - so assuming all the folders and files have R for "others" I should be good.

So whats the difference between Apache permissions and File System permissions? Where do I set the Apache permissions?

Cheers

 

[RhythmAce]

Any script or program that needs to access or manipulate files on the system must be a user on that system. Hence, apache us a user just as hondy is. The only difference is that apache does not have a login account with a password. In most cases apache must have at least read permissions within its webspace. Each website belongs to a particular user. That user logs in to their ftp or telnet/ssh account to manage their webspace. The ownership of this webspace belongs to this user. When someone browses to that website apache needs to be able to read the file so it can serve it. That is why only the read bit is set for web pages i.e. 644. The owner can read and write to the file but group and others can only read. Note that the execute bit is not set. Now let's say you have a website that allows users to upload pictures. The webmaster or owner of the website's files needs to create a directory that apache can write to. Remember the system sees apache as another user (neither owner or group). So 'other' needs to be set to 6. many scripts tell you to set these directories to 666 but some folks don't feel comfortable with that number so they set it to 777. So if apache has access to every website's files, how do you control access to those directories. That is what directory containers do in httpd.conf and vhosts.conf. The main purpose for thes containers is to tell apache who can do what in each directory. These are apache's permissions. You can control access to a directory by allowing only a specific type of browser or ip address. You can allow access only if they are coming from a particular network or web page. This comes in handy if you have a page that authenticates users. After they enter a valid username and password, they are sent to a directory that requires they come from that page. This prevents vistors from typing that url directly into their browser. It also means you don't have to have a .htaccess file in each restricted directory. The scope of the permissions that apache has for each of its websites is controlled by the DocumentRoot directives of each virtual server (vhost). Apache sees the DocumentRoot as '/' for each vhost and cannot go above it in the file system.

 

[nerbonne]

The system sees these files being accessed by user apache." True, assuming your server is running in Apache API mode. If it is in CGI mode, which I HIGHLY recommend, then the system sees and only allows the files to be accessed by the owner of the files. As pointed out before, the standard is 755 for dirs and 644 for files (.php) not required execute permissions such as perl scripts. Keep in mind though that many webservers, such as ones running cpanel, that your "public_html" folder needs to be 750 and be owned by the user, but in the nobody group. Each server is different. If your php files are 644 and do not incorporate code that allows code injection, then you won't have any problems. If you have world writeable directories and allow file uploading, at a minimum you need to use CGI mode so that when (not if, when) you get attacked, you will know what site the attack came from.

Remember, in Apache API mode, any script on the server can write to any 777 dir. In CGI mode, a script may only write to 777 dirs that it owns. The point is that if you have a server with 200 virtual sites, in Apache mode, it's near impossible to find the offending script. In CGI mode, you know it originated from the site where you found the problem.

Hope that helps.

 

[Hondy]

hmm, i'm not using any CGI scripts, does this still apply?