Today I would like to talk about file and folder permissions (read). This concept came to the world of webmastering from linux (Unix) like systems, on which most hostings work.
And the name Chmod itself is the name of a program in linux that allows you to assign access rights to various objects. And since your site is installed on the server under running linux(Unix) of one or another variation, then work with the objects of your website will be subject to the rules established by the operating linux systems(unix).
In Windows, virtually all files are set to maximum permissions, which, in fact, leads to dominance on our computers, and also, in turn, does not let the owners of antivirus companies die of hunger. In linux (Unix) systems, things are different - everything is more complicated, but at the same time safer. If everything is set up correctly and with skill, then you can significantly increase the security of your website.
Basic concepts of file and folder permissions
If everything is left to chance and does not bother with setting the necessary privileges, then the probability of hacking your resource or infecting it malicious code will be very large. Well, if you carried all your data, but what if not?!
Therefore, it is better to immediately, without delay, configure and change Chmod for all important objects in your engine, based on the principle of minimalism. Those. give objects the minimum rights necessary for the correct operation of the website.
Let's first understand the essence of the issue in order to understand what exactly and how we configure. So let's get started. Access rights are separated in relation to files and directories. They are designated the same, but mean a little different.
In turn, with respect to files it is possible:
- r - the right to read data.
- w - to change the content (recording - only changing the content, not deleting).
- x - to execute the file.
Let's dwell a little more on the possibility of executing the file. The matter is that in linux any file can be executed. Whether it is an executable is not determined by its extension (the concept of extension is absent in file system Unix), but by rights Access Chmod. If any file has the “X” execution right, this means that it can be launched for execution.
For directories it is possible:
- r - the right to read the directory (you can read the contents of the directory, i.e. get a list of objects in it)
- w - to change the contents of the directory (you can create and delete objects in it, and if you have write permission, then you can delete even those files that do not belong to you)
- x - to enter a directory (it is always checked first, and even if you have all the necessary privileges on an object that is buried deep in the directory chain, but do not have the “X” attribute to access at least one directory on the path to it file, then you will not get through to it)
In Linux systems, all this is distributed by the main administrator of the computer, access to which he gains by entering a password. And if most of the objects will have read-only rights, then there will be practically nothing for viruses to do on such a computer. they will not be able to record themselves there, nor then be fulfilled. It is this result that we need to achieve by setting the necessary Chmod on the objects of our site.
Privileges for User Groups
The privileges themselves fall into three categories, depending on who is accessing the object:
- "user" - u (directly the owner of the file)
- "group" - g (member of the same group as the owner)
- "world" - o (everyone else)
The server determines which user group you belong to when you connect to the server. When you connect to a server via FTP, for example, you log in with your username (and password), and then the server assigns you to the “user” (“u)” group.
Other users who also connect via FTP to the server will be assigned to the “group” (“g”) group, and a visitor who comes to your website using his browser falls into the “world” (“o”) group.
Variations of the three possible values "r", "w" and "x" for the three categories "u", "g" and "o" and define chmod to files. If a category is not specified, it is replaced by a hyphen "-". Privileges are specified sequentially in the given order:
- first the rights for the owner - "u"
- then for the group - "g"
- and at the end - for everyone else - "o"
After the server assigns the visitor to a certain group, it grants him the rights to act on objects, after which the visitor will be able to read, write or execute the file (depending on what his group is allowed to do with this object).
To see the contents of a directory, it must have the read attribute "r" (for the group to which the server assigned the visitor). To create a file or folder in an existing one, it is necessary that this existing directory has an attribute for the “w” entry.
For clarity, let's look at an example where the owner of the file ("user" - "u") has all the rights: to read, write to it and execute, and all other users only have the read privilege. Such a Chmod entry would look like this: "rwx r-- r--".
Let's consider it in detail: "rwx" (this entry sets the rights to the object for the owner - "u"), "r--" (this entry sets the rights to the same object, but if the visitor is assigned by the server to the group - " g"), "r--" (this entry sets the privileges on the object for all other users - "o").
What is the difference between file and folder permissions
It turns out that there are three groups of users and three possible actions with objects. Not confused yet? Let's put all the above on the shelves in the form of tablets. First, let's see how they differ:
As well as a plate showing various Chmod combinations for different types objects:
Nothing can be done | Access to the directory and its subdirectories is denied |
|
Can see and edit content | You can add, delete, change the directory file |
|
Run if file is binary | The user can execute a binary file that he knows exists, access or read the directory is prohibited |
Chmod expressed in numbers (777, 400, 666, 755, 444)
You can see that here the entries using Latin letters and hyphens are used to describe access rights, but you have probably already encountered the fact that Chmod is usually given numerically, for example, the well-known combination: 777, allowing everything and everyone.
Indeed, privileges are also indicated by numbers:
- r (read) is replaced by 4
- w (record) is replaced by 2
- x (execution) is replaced by 1
- 0 means - do nothing (what is indicated by a hyphen in the alphabetic notation)
Let's go back to the example entry I gave a little earlier: rwx r-- r-- . If we replace the letters and hyphens in it with numbers, in accordance with the rule just described, and at the same time add the numbers in each triple, we get the digital form of this entry: 744.
Those. it turns out that the sum of these numbers shows Chmod in relation to files or a folder. For example:
- 7 (rwx) = 4 + 2 +1 (full rights)
- 5 (r-x)= 4 + 0 + 1 (read and execute)
- 6 (rw-) = 4 + 2 + 0 (read and write)
- 4 (r--) =4 + 0 + 0 (read only)
- etc.
This table lists all possible combinations of privileges, numerically recorded:
And now let's look at various combinations of entries in numbers, in relation to user groups:
"Owner" | "Group" | "Rest" |
|
perform |
|||
perform | perform |
||
You yourself (except when you access the site via FTP) and all other visitors to your resource belong to the “word” group (everyone else), so to work with the website, we first need to look at the last (third) digit this entry.
In order for the script to “run the file” when the user works with the site, it will be enough that the rights are set on it, starting from “4” (r-- - read only) (5,6,7 are also suitable, but it will be redundant in terms of security).
For the directory in which the file of this script is located, you need to set at least "5" (r-x - you can go to the directory and read its contents, you cannot delete or add). 7 is also suitable, but it will also be superfluous in terms of security.
If you need the script to not only read, but also “write” some data (for example, entered by the visitor), then the minimum rights to the “folder” will still be “5”, but for the “file” you will need “6” (read and write).
Most likely, on the server where you copied the contents of your site engine, the following Chmod to objects will be installed:
If you had a resource consisting of only html pages, then it would be possible to leave everything as it is. But modern sites are built on engines, and there may be objects that need to be written to on behalf of visitors from the "world" group - o (everyone else). These can be directories used for caching pages or those in which pictures, etc., will be loaded in the course of working with the site.
Of course, if you access the site via FTP, you will be able to write to these files or directories, but working with the web interface as a normal user, you may have problems. Therefore, the installation of certain rights must be approached selectively:
for all directories in which files should be written, but do not need to be erased regularly
for folders in which files should be written and erased (for example, for the cache)
for simple files read-only (.html, .php, etc.)
for files that may need to be written to (for example, with .dat databases)
How to assign Chmod using PHP
How can all this be put into practice for your site? In principle, everything is simple. To assign access rights, you can:
But if Chmod cannot be changed to any files, then you can try to assign them using PHP means. You can use the following code:
You will need to replace file_name_x.php and directory_name_x with the real names of the files and folders you want to change to. Accordingly, 666 will be set for files, and 777 for directories. Put this PHP code into a file using any text notepad (recommended) and give it a .php extension, like prava.php for example.
copy prava.php via FTP to the directory where it fails regular means assign access rights. In the address bar of the browser, write the path to prava..php) and press "Start" or enter on the keyboard. That's it, now the privileges will be completely changed by means of PHP.
For Joomla, immediately after installing it, you can set 777 to the following directories:
Administrator/backups/ administrator/cache/ administrator/components/ administrator/modules/ administrator/templates/ cache/ components/ images/ images/banners/ images/stories/ language/ language/en-GB/ language/ru-RU/ media/ modules/ plugins/ plugins/content/ plugins/search/ plugins/system/ templates/
After you install all extensions for Joomla and make the final settings, Chmod to most of the above directories should be in order to increase the security of the site return to 755. You will need to leave 777 for directories with cache, with backup and with pictures.
For engine files located in the root of the site, except for sitemap.xml, it is better to set 444 (read-only for all visitor groups). On setting.php, it is sometimes advised to even set 400.
I can give exactly the same advice about setting access rights to objects in the SMF and WordPress engines. It is desirable, if possible, to leave on a permanent basis for directories 755(except for the cache, pictures, backup directories specified above, and maybe some more, as needed), and for files - 644.
It is better to put 444 on the files in the root of the site.
If, when working with the site, there is a problem with the inability to write the settings to some file or the inability to create some kind of directory, then you can temporarily put high rights on them (777, for example), and then return everything back (out of harm's way). And by no means don't leave(for ease of use of the site) unreasonably high Chmod.
Good luck to you! See you soon on the blog pages site
You may be interested
ASCII text encoding (Windows 1251, CP866, KOI8-R) and Unicode (UTF 8, 16, 32) - how to fix the problem with krakozyabry 
OpenServer - modern local server and an example of its use for WordPress installations on computer 
What URL address What is the difference between absolute and relative links for a site 
Yandex search on the site and online store 
Sitemap in xml format for Yandex and Google - how to create a sitemap in Joomla and WordPress or in an online generator
chmod command allows you to set the permission to read, write and use your file. Because operating system UNIX is multi-user, you usually don't work alone on the file system. Users of the system can access various directories in any way and read files belonging to other users as long as there is permission to do so.
If you are the owner of the file, then you can decide who has the right to read the file, write to it and, if it is a program, execute it. You can also restrict directory access rights. When you grant access to the directory, it means that you allow the user to cd and print the contents of the directory using the ls command. The following characters are used to indicate access rights:
To indicate which user has these access rights, the following characters are used:
When you create a file or directory, the system automatically grants or does not grant access to you, a member of your group, or all users of the system. you can change it automatic action on granting rights (see section 9). In addition, regardless of what rights you are granted when creating a file, you, as the owner of the file or directory, can use the change key.
3.10.6.1. How to determine rights
You can determine the permissions for a file or directory using the ls -l command. For example, if you are in the startship/bin directory, and you type ls -l, you will get the following information:
$ ls -l
The left side of the screen displays the permissions for the display and list files and the tools directory:
Rwxr-xr-x for display file -rw-r--r-- for list file drwxr-x--x for tools directory
The first character describes the file type (for example, the "-" character indicates that it is an ordinary file, the "d" character indicates a directory). The next nine characters describe the permissions. The first three characters out of nine set permissions for the owner, the second three - for the group, the third - for all users. Each set characters r,w,x shows the currently set permissions for each user category. If there is a "-" instead of a symbol, then the corresponding right is absent.
There are two restrictions. By chance, the letters l or s may appear in a string instead of r, w or x. The letter s represents a special right to execute a file. It appears in the place where the letter r usually appears in the sets for the owner or for the user group and this means a special right to execute the file. It only matters to programmers and system programmers. The letter l indicates that the lock will appear when accessing the file. This does not mean that the file is protected.
3.10.6.2. How to change existing permissions
You can change existing permissions with the chmod command.
Command syntax:
Chmod who+permissions file(s)
| chmod- | program name; |
| who - | one of three user groups: |
| u- | owner; |
| g- | Group; |
| o- | All users; |
| "+" or "-" - | presence or absence of rights; |
| right - | one of three rights: |
| r- | the right to read; |
| w- | the right to record; |
| x- | the right to perform; |
| file(s) - | name of the file(s) (directory); the file is assumed to be in the current directory, or you must specify the full path name. |
Note. The chmod command will not run if you put a space between "who", "+", "-", and "right".
The following examples show several ways to use the chmod command. As the owner of display, you can read the file, write to it, and execute the file. You can protect a file from accidental modification. To do this, enter the following command line:
Chmod u-w display
As you can see, the right to make changes to the file has changed. You will not be able to modify this file while this write permission exists.
Now let's turn to another example. The write permission to the display file is not allowed for your group and all users on the system. However, they are granted the right to read. This means that they can copy the file into their own directory and then make changes to it. To prevent these actions, you must revoke the read right. To do this, enter the command:
Chmod go-r display
-r - prohibits reading or copying the file.
Check the result and enter the ls -l command. The screen will look like this:
$ chmod go -r display
You can use the chmod command to grant or deny permission to directories as well as files.
For example, you have given permission to read the manual to yourself (u), members of your group (g), and all users of the system. Each user with access to the system will have the right to read the names of the files contained in this directory by issuing the ls -l command. Similarly, granting write access allows users to create new files in the directory and delete existing files in the directory. The executable directory grant allows designated users to navigate to that directory (and make it their current directory) using the cd command.
3.10.6.3. Alternative method
There are two methods by which the chmod command can be executed. The method described above, in which the symbols r, w, and x are used to indicate the right, is called the symbolic method.
An alternative method is the octal method. Its format requires you to specify permissions using three octal digits (from 0 to 7).
For those who are looking fast way with a couple of commands, massively change the access rights to files and folders:
cd /var/www/site find ./ -type f -exec chmod 0644 () \; find ./ -type d -exec chmod 0755 () \;
What is chmod
This is a UNIX utility with which you can quickly change the access rights for certain owners (owner) and groups (group) for specified categories and files through the console.
Why Use Chmod
On UNIX systems - FreeBSD, Ubuntu, Debian, Centos - each file and folder (directory) has its own . This was done in order to differentiate access rights for reading (r, read), writing (w, write) and execution (x, execute) for different users: owners (u), users belonging to the owner's group (g) and others (o ).
For example, if you use hosting, you should know that your site is physically located on the same server next to many other sites of the same users as you with their sites. So that you cannot interfere with each other, each directory with sites has its own owner and user group to which they belong.
On shared hosting, you will be taken care of by professional system administrators. And if you have your own VDS / VPS server, then you simply have to follow the prescribed file access rights. For example, if suddenly, using a vulnerability on a site, an attacker can write a backdoor to the directory for downloading files, then with correctly defined access rights, he will not be able to cause much harm to the file system. Of course, in the directory for downloading files, the execution of scripts must be forcibly disabled, but this is a topic for another conversation.
Syntax
chmod [-Rvf] [Access rules] [File/Files/Directory, file directory]The [Access Rules] part can contain either numeric or symbolic values.
[File/Files/File directory] — path to a file, files or directory of files, absolute or relative.
Switches -R, -v, -f
- -R
Recursively change permissions for a directory and nested files and subdirectories - -v
Detailed description of applying a change of access rights or impossibility of this action - -f
Do not give an error message for those files and directories for which it is impossible to change permissions
Chmod access rules
As you already know, access rights are determined by how the user can interact with files and directories, namely r - read (read), w - write (write), x - execute (execution).
And also, you know that these rights should be spelled out for three groups users:
- The owner of a file or directory;
- Users in the owner's group;
- Rest.
Now let's look at the rights definition table:
That is, in order to write the rule give read and write access to the owner, give read-only permissions to the rest , we must give permission (rw-r--r--)
Now pay attention to the Character and Octal column. It visually shows that what looks like symbolically as (rw-r--r--) in octal looks like (644). This expression will be used as a numeric entry in the command.
Now it remains to collect everything together in one record. For example, let's change the access rights "to give everyone the right to read, the owner the right to change the contents" for the index.php file:
Chmod -v 644 index.php
How to Check Chmod Permissions
ls -ld index.phpwhere index.php is the file or directory to check.
An example of the correct use of Chmod
Default access rules for directories 755 , for files 644 . Therefore, in the vast majority of cases, you will only need these rights.
Team chmod (Change MODE- change mode) has a very specific syntax. Syntax in general:
but what it is characterized by is that regime change can take different forms. It can be specified in two ways:
- as an octal number. Owner permissions then correspond to numbers in the form 00 , where it corresponds to the assigned permission: 4 for reading, 2 for writing, and 1 for executing. Similarly, the permissions for the owner group become 0 , and the permissions for "others" become . Then, all you have to do is find the sum of the permissions assigned to get desired mode. So, permissions rwxr-xr-- correspond to 400+200+100 (owner permissions, rwx) +40+10 (group permissions, r-x) +4 (other permissions, r--) = 754; thus, permissions are expressed in terms of free members. This means that previous permissions are unconditionally replaced;
- using expressions. In this case, permissions are expressed through a sequence of expressions separated by commas. From here, the expression becomes: [category]<+|-|=><разрешения> .
- chmod -R o-w /shared/docs: Recursively removes write permission for others from all files and subdirectories in the /shared/docs/ directory.
- chmod -R og-w,o-x private/: recursively removes write permission for group and others from the entire private/ directory, and removes execute permission for others.
- chmod -c 644 misc/file*: changes the permissions of all files in the misc/ directory whose names begin with file to rw-r--r-- (i.e. read permission for everyone and write permission only for the owner), and only reports those files that were affected by the command.
The following example shows how to allow all users to read, modify, and save a file. To do this, you need to change the permissions of the "others" group.
Type in command line:
ls -l example1.txt The following information will be displayed:
-rw-rw-r-- 1 user user 42 Mar 24 22:07 example1.txt Now enter the following command:
chmod o+w example1.txt The o+w command means that you give "others", denoted by the letter "o", write permission to the file example1.txt . To see what the execution of the specified command resulted in, let's look at the file again:
-rw-rw-rw- 1 user user 42 Mar 24 22:09 example1.txt Now everyone can read and write to the file.
To disable reading and writing to example1.txt, use the chmod command.
chmod go-rw example1.txt The go-rw command tells the system that you want to prevent the group and "others" from reading and writing to file example1.txt.
As a result, the permissions will look like this:
-rw------- 1 user user 42 Mar 24 22:10 example1.txt The above classes and rights are shorthand for the corresponding English words, so they are easy to remember: all you need to remember is a few characters and letters.
Here is a list of transcripts of these abbreviations:
Classes u - the user who is the owner of the file (from the English "user");
g - the group to which the user belongs (from the English "group");
o - the rest (not the owner and not the owner group, from the English "others");
a - all (u, g and o, from the English " all"). Permissions r - the right to read;
w is the right to write;
x - the right to execute. Actions + - gives the right;
- - takes away the right;
= - leaves only this right.
Do you want to test your knowledge? Remove all rights to the example1.txt file from all users.
chmod a-rwx example1.txt Now check if you can read given file command cat example1.txt . You should see the following:
cat: example1.txt: Permission denied By revoking all permissions, including your own, you have denied access to the file. But since the file belongs to you, you can always return the rights with the following command:
chmod u+rw example1.txt To make sure you can read this file, use the cat example1.txt command.
Here are some examples of using the chmod command:
- g+w Gives the owning group write permission.
- o-rwx - takes away all rights from other users;
- u+x - gives the owner the right to execute the file;
- a+rw - allows anyone to read and write to a file;
- ug+r - allows the owner and group to read the file;
- g=rx - allows the group to read and execute the file (not write to it).
The -R option allows you to change permissions for the entire directory tree.
Since directories cannot be "executed" as applications, adding or removing the appropriate right means allowing (or disallowing) viewing the directory.
For example, if you prevent other users from executing the docs/ directory, it doesn't matter who has read and write permissions. No one will be able to access the contents of a directory unless they know the exact name of the file it contains.
Type, for example:
chmod a-x docs to revoke execute permission from all users.
If you now try to change the directory with cd docs , you will get a failure:
bash: docs: Permission denied Reclaim permissions for yourself and your group:
chmod ug+x docs If you now check the results of your actions with the ls -l command, you will see that only other users are denied access to the docs/ directory.
