Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Google Sign In with OpenID

File permissions

edited March 2013 in Miscellaneous

I'm curious why elefant uses 755 permissions for html, php, jpg, css, etc. files. Wouldn't 644 be safer without losing any functionality? Any reason not to find -type f -exec chmod 644 {} \;?

Comments

  • The execute bit is necessary for folders, for example:

    $ mkdir perms
    $ cd perms/
    $ cd ..
    $ chmod 644 perms
    $ cd perms/
    -bash: cd: perms/: Permission denied
    $ chmod 755 perms
    $ cd perms/
    $ cd ..
    $ rmdir perms
    

    In a shared hosting environment (which is mainly where this can become an issue), the writeable bit is the more worrisome part of Unix permissions. Unfortunately, file permissions on shared hosts are a mess.

    If you FTP a file up, it's owned by your Unix user, which will be different than the web server user, but may or may not share group permissions. But if a file is created via upload through PHP, it will be owned by the web server user, and unless you then change its permissions to be group-writeable or often world-writeable, then you won't be able to modify that file via FTP afterwards.

    So in the instructions, I try to keep it simple for the average user but also link to more detail on file permissions as well. But I'm definitely open to improving the permission scheme further :)

    I also hope shared hosting's days are numbered, at least in its current form. With companies like Digital Ocean now offering $5/mo virtual servers with SSD storage, plus "droplets" (aka virtual server images) for things like default LAMP stacks, you can avoid sharing a filesystem with others entirely, and get some pretty awesome performance to boot!

  • Maybe something like this would work better?

    $ cd /path/to/your/site
    $ chmod -R 755 apps cache conf css files install lang layouts
    $ chmod -R 644 $(find apps cache conf css files install lang layouts ! -type d)
    
  • @jbroadway said: The execute bit is necessary for folders

    Right, that's what the -type f was for.

    Yeah, VPSs, etc. are pretty cool.

  • Re: permissions: I've switched to httpd-itk on my servers. It runs as User: user-web, Group:user, where user-web is in the same private group as user. Then you chmod g+w any folders apache/php need to write to, but the user still can edit those files.

  • Right, that's what the -type f was for.

    Sorry, overlooked that somehow. That should be safe I'd say, other than the ./elefant script, since that is meant to be executed from the command line.

  • OK, then this: find ! -name elefant -type f -exec chmod 644 {} \;

  • I wonder if we shouldn't add a command like ./elefant set-permissions and have people run that? That way they can just use one command then move on to the web installer, instead of pasting several lines of ugly bash commands :P

  • You think bash commands are ugly? I guess beauty is in the eye of the beholder. Or maybe it's just the power I admire.

    Anyway, your suggestion sounds good. Also, would you consider changing the permissions in the master? I did a git merge and all of a sudden all my permissions were back to 755 and all the files names were green in my xterm.

  • I think people unfamiliar with bash won't see them quite as we do ;)

    I'll update the permissions and add a command for that too. Won't be able to change the install instructions just yet since the new command won't be in the beta or stable releases yet, but at least we'll be moving towards a better permission setup.

  • Well... much easier to use

    ...
    $ chmod -R a+rwX apps cache conf css files install lang layouts
    

    instead of

    ...
    $ chmod -R 755 apps cache conf css files install lang layouts
    $ chmod -R 644 $(find apps cache conf css files install lang layouts ! -type d)
    
  • I've updated the permissions on Github now.

    Just tested and the default Apache install on OSX requires 0777 on a folder to be able to write to it sigh

    I'm not sure the best approach to put into a set-permissions command, since 0755 is the default I recommend trying before opting for 0775 and finally 0777, and a command line script won't be able to tell what a web request will need.

    I think we may just have to keep the instructions as-is and add a line to reset files afterwards. Of course, that line may also need to set it to 644 or 664 too...

  • Would it make sense to add a configuration option? For instance, my server runs as a group member, so I don't need other permissions on anything that elefant creates.

  • It may make sense to make it an option. Most users would leave the defaults, but it could be good to be able to lock it down further on shared hosts.

    It's too bad there's not a straightforward way for users to tell what permissions they need from host to host. Makes it cumbersome for less technical users to try to suss out the right level of restrictiveness...

Sign In or Register to comment.