Understanding FTP File Permissions in Linux (inc CHMOD)
Uploading anything more complicated than basic HTML (for example, a PHP script), usually requires some fiddling with permission settings to make things work properly. Whether you’re battling an error or just following the instructions to install a new script on your server, knowing how to set permissions is essential.
Many webmasters try to set their permissions without knowing what they’re doing, or why it’s so important. This can lead to serious mistakes that can result in security and reliability issues.
Here’s the good news: permissions are easy to understand. Virtually anyone can grasp the underlying concepts in just a few minutes. Even the mysterious numbers we see when we use the CHMOD command will become much clearer after a quick primer.
Smart, Simple and Secure: File Permission Basics
The basic principle of file permissions is that not every file on your server needs to be accessed by every user. In this regard, your server is no different than your personal computer. If you have multiple accounts on the same machine, Person A may not be able to access the files of Person B for privacy reasons. But an administrator has a higher level account that allows access to everything.
Generally, three kinds of users access files: guests, which usually means visitors to the site; users (in this case, webmasters and the accounts they create); and administrators (meaning the hosting provider, or yourself if you have “root” access to the server, such as with a virtual private server (VPS)).
There’s no way to give or take away permissions from admins—they always have permission to do anything at any time. The permissions you set, on the other hand, determine what you and your visitors can do with your files. That’s where the CHMOD command comes in.
CHMOD, which stands for CHange MODe, is the Unix or Linux command commonly accessed via file transfer protocol (FTP) programs to change or set permissions for both files and folders. Typically, CHMOD represents the permission of a file or folder as a series of three numbers ranging from 0 to 7. The higher the number, the more “open” the permissions on the file.
The numbers each represent a different “group” of permissions:
User: This is the owner of the file or folder, meaning the account that uploaded it or created it.
Group: The group to which the user belongs. For example, if your hosting account allows you to create multiple FTP logins, they likely belong to the same group.
World: Everyone else, including visitors to your site.
The three groups also have three activities that can be either allowed or denied:
Read: The ability to read a file or list files in a folder. Without read access, a file can only be accessed by admins.
Write: The ability to edit/delete/rename a file, or the ability to create/delete/rename files in a folder.
Execute: The ability to run a script or run a script in a folder.
The three actions are then given a numeric value, with “Read” being “4,″ “Write” being “2,″ and “Execute” being “1.″ Adding these values creates a number between 0 and 7 in each of the three fields.
A file without any permissions, meaning no one but an admin could access it, is a 000. A file that can be read by anyone is a 444. A file that can be read, written and executed by anyone is a 777.
Each group can have a different value so, for example, a file with a permission of 755 can be read, written and executed by the user, but everyone else can only read or execute it, not write to it. This prevents others from editing the file.
Generally, a file’s user will have full access to it (meaning a 7), but typically others will have more restricted access. For most script files, 755 is considered the ideal. At times, other permissions are needed. For example, if you have a folder you upload files to regularly, the permissions might need to be set to 666, meaning the folder can be read and written to, but not executed.
Permission Slips: A Word About Security
The problem with permissions is that, the more you give away, the more likely it is someone else can misuse your permissions to launch an attack on your server. The lower the number, and the fewer rights granted, the better.
For example, if a script is editable but doesn’t need to be, a hacker might be able to inject malicious code into it. Likewise, if a file can be executed by any outside user, it may be used against the server or other visitors.
Be careful to set your permissions to only what is required. Designate files or folders as 777 only when absolutely necessary, and avoid giving execute permissions on files that don’t require them. Taking the time to set appropriate file permissions now can save you some pretty big headaches down the road.
File permissions are really not that confusing or difficult. The numerous great guides on the Web explaining the principles behind file permissions make it easy to track down the information you need. Although the way the information is conveyed can be a bit confusing, the principles behind file permissions are easy to grasp—and crucial to protecting your data. In the end, understanding how and why permissions work will make you a better webmaster by allowing you to keep your data secure and your users happy.