Can someone explain a bit about Unix folder permissions and safety?
Why would I change folder permissions to 755 or 777 for example?
I read that it means read write and execute but what I want to know, can anyone steal php codes depending on these permissions?
Thank you.
Each file or folder has a user owner, and a group owner. Doing ls -l on a file will show who the current owners are. The "owner" is some user from /etc/passwd, the group is some group from /etc/groups and other represents everything else.
The three digits in the permission number represent the permissions for the user, group and "other".
So 755 means:
user=7
group=5
other=5
A file can have read permissions, write permissions and execute permissions.
Read=4 Write=2 execute=1
They are essentely what they sound like, read allows you to read the contents of a file, write allows you to edit the file. Execute is needed to run scripts and in the case of folders allow access into them.
By adding them up you get the permission number. In the case of 755:
User: read(4)+write(2)+execute(1)= 7
Group: read(4)+execute(1)=5
Other: read(4)+execute(1)=5
You need to give 755 on a folder because a internet user coming to your site will fall into the "other" category and in order to access a folder on your server(and any scripts inside that folder) they need to be able to go into that folder so they need the execute permission.
777 is usually not a good idea at all, think of it this way.. would you want any other user the ability to edit something on your server?
There is a lot more to learn about permissions, check out this link for more info.
As for stealing PHP code your webserver should automatically serve any file with the handle .php as a PHP script and not display the PHP to a user . However if you name your script anything that is not handled by your webserver then it will be displayed out as text if your webservers user has permission to read it.
If you are talking about internal users stealing code via a terminal then you can remove read permissions to anyone other than your webserver.
755 is octal for 111-101-101 in binary, which means...
User | Group | Others
==========================
Read | Red | Read
Write | - | -
Execute | Execute | Execute
So only the user can write to this file. 777 allows user, group and others to write to this file, which is generally too unrestricted.
Of course - if they can read it, then they can "see it".
There are a few ways that applications secure their code. This all is application specific, and any in depth treatment should be referred to the application coders.
- Filesystem Permissions
It's easy to just say "no one can see these files". However you will need at least your web server to be able to read the files, and, well, serve them. php can be executed by the web server, so it'll need permission 7. Assuming you are logged in as the user that the web server is running under, you get the 7 of the 755.
Other folks have to be able to determine what file that they want, so they need to be able to see them. They also (depending on the app) might need to be able to read the file, so the web server can process it.
- Code level protection
PHP Code can be viewed in several methods. In the old school days, you had to put a die() command somewhere in the page, so if folks were getting to it by splunking rather then as they should be no naughty bits would be displayed.
Either by building this into the code, by setting up the web server to do this, or by doing both you can keep unwanted eyes out.
- Application level protection
Any code can be compromised, so keeping bad users out and keeping good users into the places that they should be is very important.