Friday, October 9, 2009

Website Protection and Security Using File and Directory CHMOD

A variety of files and directories in your website need to be given the correct permissions to work properly. Giving permissions to files or directories in the Unix world is called CHMOD (change mode). Chmod is a Unix command that lets permission levels be assigned to each file or directory. The proper CHMOD is also needed to help you with your website protection and security. As you will see later in this document, you can use your FTP client to change the file permissions in order to protect your files.

Every file or folder in UNIX has access permissions. There are three types of permissions (what allowed to do with a file):

1) read access
2) write access
3) execute access

These specific permissions apply as follows:

The read permission, which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them, including file type, size, ownership, permissions, etc.)

The write permission, which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.

The execute permission, which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled c++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unless read is set )

When a permission is not set, the rights it would grant are denied. Files created within a directory will not necessarily have the same permissions as that directory.

Access permissions for files and folders mean different things from the user standpoint. Below shows the difference

Read Access For File:
On a regular file, the read permission bit means the file can be opened and read
Read Access For Directory:
On a directory, the read permission means you can list the contents of the directory.

Write Access For File:
On a regular file, this means you can modify the file, aka, write new data to the file, change its contents
Write Access For Directory:
In the case of a directory, the write permission means you can add, remove, and rename files in the directory. This means that if a file has the write permission bit, you are allowed to modify the file's contents, but you're allowed to rename or delete the file only if the permissions of the file's directory allow you to do so

Execute Access For File:
In the case of a regular file, this means you can execute the file as a program or a shell script
Execute Access For Directory:
On a directory, the execute permission (also called the "search bit") allows you to access files in the directory and enter it, with the cd command, for example. However, note that although the execute bit lets you enter the directory, you're not allowed to list its contents, unless you also have the read permissions to that directory

Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.

Permissions are defined for three types of users:
1) the owner of the file
2) the group that the owner belongs to
3) other users

User Type - USER(u):
The username of the person who owns the file. By default, the user who creates the file will become its owner.
User Type - GROUP(g):
The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain files, while others can't. In that case, you'll add all the users into the same group, make sure the required files are owned by that group, and set the file's group permissions accordingly.
User Type - OTHER(o):
A user who isn't the owner of the file and doesn't belong in the same group the file does. In other words, if you set a permission for the "other" category, it will affect everyone else by default. For this reason, people often talk about setting the "world" permission bit when they mean setting the permissions for "other."

The mode number consists of three octal digits, n1n2n3, representing the access allowed for yourself, for your group (other users set-up on your account), and for everyone else. The value of each digit represents the type of access that is allowed.

Each digit in the mode parameter represents the permissions for a user or a class of users. The first digit corresponds to the owner of the file. The second digit corresponds to the file's group. The final digit corresponds to everybody else.

We can also say that the first digit, n1, on the left, stands for the owner of the file or directory. The middle digit, n2, represents the group who owns the file or directory. The last digit, n3, represents the rest of the world.

000------ 0 --- no permissions enabled
001------ 1 --- execute permission enabled
010------ 2 --- write permission enabled
011------ 3 --- write and execute are both enabled
100------ 4 --- read persmission enabled
101------ 5 --- read and execute are both enabled
110------ 6 --- read and write are both enabled
111------ 7 --- read, write and execute are all enabled

We see from above table that:

1) read is given a value of 4
2) write is given a value of 2
3) execute is given a value of 1

This then is translated by adding the values together for each of the groups of permissions.

For example, let us say the CHMOD is n1n2n3 = 755 = user/group/other; what does this mean:

i) user can read (4), write (2) and execute (1) : 4 + 2 + 1 = 7
ii) group can read (4) and execute (1) : 4 + 0 + 1 = 5
iii) others can read (4) and execute (1) : 4 + 0 + 1 = 5

If the group had the same permissions as the user then we would have 775.

Instead of numbers for the mode, we could also have letters as follows:

1) read = r (4)
2) write = w (2)
3) execute = x (1)
4) not enabled = - (0)

We can then make 755 = rwx r-x r-x
user = rwx
group = r-x
other = r-x

If we had 765 then this would be the same as rwx rw- r-x

You can also see users defined by letters as follows:

1) user = u
2) group = g
3) others = o
4) everybody = a

Usually, only the file owner can change permissions.

Although a shell prompt in a Unix-like environment can be used to do this, an FTP client is often used for such task. Depending on the FTP client being used, CHMOD is usually available through menus or by simply clicking the right mouse button when hovering over a file or directory and choosing the chmod/property option. To set the permissions check the properties or enter the corresponding chmod numbers in the dialogue box.

For more information your can visit the following:

On a web server, files are usually set to 644. This indicates that the file owner can read and write to the file, while everyone else can only read it. Directories are commonly set to 755. This indicates that the directory owner has full control, while everyone else can read and execute the files within it.

Most common file permissions:

Files: 644
Folders: 755 (with index page in it)
Images: 644
CGI scripts: 755
Php scripts: 644

By default, your public_html ( or public) directory should be rwxr-xr-x (755).
With this setting, if a Web surfer connects to your domain, the server will display either your home page (if a file with the name index.html, index.htm, or index.shtml exists) or a listing of all the files in that directory.

Your other option for your public_html (or public) directory is rwx--x--x (711).
This permission setting will not show a file listing.
If there is no home page, the Web surfer will receive a "Forbidden" error message.

You should take care in setting files CHMOD 777. This basically means anyone can read/write/execute/search the file/directory. In this situation you are leaving your web pages open to the world and making it easy for people to hack your website.

As a owner you need to read, write and execute the files.
As a group certain web server applications or people need to read and execute your files.
As ‘others’, the whole world needs to read and execute your files.

No comments:

Post a Comment