Wikipedia:Babel | ||||
---|---|---|---|---|
| ||||
Search user languages |
-- Hi Thanks to Livitup, Tardis and Maplebed for answering my question on chmod.
I can't seem to see it on here anymore so i found the cached page on googlew and copied over to here:
October 19
Chmod < Linux < Internet < Computing Hello I have read countless tutorials on the web about the issue of chmod on Unix-like computers.
Basicly you can set the permissions of a file or directory (by chmod'ing it) to control who can read, write and execute it.
A good explanation of this is here: http://www.phpdebutant.com/articles/CHMOD-777.php
What always seems to be lacking from any tutorial on chmod, that i have found, is exactly WHO is the 'user', 'group' or 'world'. (Or at least there are conflicting defintions.)
I have a website, which sits on the World Wide Web.
If i am right in believing many of these chmod articles - if i chmod 777 a file in the publicly accessable part of my server's file system (below my web root), this would mean that the World (or sometimes called 'All') can read, write and execute that file.
So, if i chmod a directory below my web root - does this mean that ANYONE can just upload files to it? or does 'World' in the chmod sense actually mean - anyone who has access to the inner workings of the machine that the file sits on?
So, in a chmod-sense who is World?
The reason why i'm trying to find this out is because i am about to use a dedicated server, which means that the only person who has access to the machine is me.
Therefore, should i worry about chmoding something to 777 in my document root, bearing in mind that i will be the only person who can FTP to the machine, login to the command shell, etc.?
I would appreciate any helpful definitive answers.
Notes about this question. Pre-empting some answers... In the tutorial i linked-to above it says that World includes websurfers. Yet, i find documentation of various PHP applications (which seem to be have been running well for years without problems) telling me to chmod 777 web-browsable folders as part of the installation process (and not saying to un-chmod it away from 777 after). See: http://fudforum.org/doc/d/manual.html#install.wizard.step1
So this kind of thing only confuses me more!
--Ronnystalker 00:09, 19 October 2006 (UTC)
File permissions on a *nix system always refer back to the account and group that own the file. You can view this information if you type 'ls -l' at the command line. You will see two names after the permissions column, the first is the account that owns the file, the second is the group that owns the file. These can be changed using the chown and chgrp commands. By default, if you create a file, the owner and group will be set to yourself, and your primary group. Where this comes into play as far as webservers are concerned, is that the webserver itself actually runs as, and accesses files, as a user on the system. Most webservers run under the guise of a special account, such as "apache" or "nobody" so that hackers can't access special system files via the web server. So, if you create a web page, and the user/group gets set to your own account and group, the webserver won't even be able to read the file when a client requests it. That's why most web files are changed to less strict permissions. If the webserver needs to be able to change a file, such as a simple database or something, then I could see using permissions like 777, though just 774 should be enough for most static web pages. I'm not an expert on web security though, so I'll defer that last bit to someone more qualified. Livitup 04:12, 19 October 2006 (UTC)
Another note about "world". What that really means is "anyone who is not the owner of the file, or a member of the group that owns the file." So world includes the account the webserver is running as. If you place a script on your webserver that allows users to upload files to your server, then it would need a world-writable directory (or a directory the webserver's account owns) to put the files in. That doesn't mean that anyone in the world can just put files on your server, the webserver has to execute some kind of code to let them do it, either planned (in the case of our file-uploader script) or unplanned (hacking). Livitup 04:17, 19 October 2006 (UTC)
I don't have any proof of this, but it's my understanding that sometimes webservers (particularly if running as root) determine and simulate the permissions on a file, rather than being bound by them but otherwise ignoring them. Typically, then, websurfers (who in general aren't authenticated as anyone in particular) are treated as "world", and HTTP PUT commands may be used iff the target file (if it exists) or its containing directory (if it does not) are world-writable. So (unless you want PUT) giving world-write is probably a bad idea, since it's never useful to servers that need permissions and sometimes damaging with servers that grant permissions. (If the server itself, but not websurfers, needs to be able to write to a file, it should be owned by the server user/group.) --Tardis 16:31, 19 October 2006 (UTC)
The simplest answer to to the first question (who is 'user', 'group' and 'world') is that the user is the account that owns the file, group is the group that is given access to the file, and world is all other user accounts on the host in question. The key is that all of these terms refer to local users on the host. The web server, as with all applications, run as a specific user. In most installations of the Linux system, the most common web server (apache) runs as the 'apache' or 'httpd' or 'nobody' user. You can see who owns a file or directory by running 'ls -l filename' and you can see the user as which a program is running by running 'ps auxf | grep programname' (where programname is something like 'httpd'. A list of all users (that can own files) is in /etc/passwd, and a list of all groups (and who is in them) is stored in /etc/group (caveat - this does not apply if your system is running NIS, and if you don't know what that means, don't worry).
Regarding the second part of your question - what is the effect of setting a directory to mode 777 within your document root, it is always something to be nervous about because if the application that the web server is running (your wiki, forum, bulletin board, etc.) is not secure, then web users can abuse that area. However, many of those applications need a space the web server can write to in order to do things like allow users to upload their own avatars and so on. In reality, what those applications really mean is that the user as which the web server runs must have write access to that directory. You could, instead of making the directory mode 777, change ownership to the user as which the web server runs and make it mode 700 or more (750, 755, 775, etc.). However, since getting permissions exactly right is sometimes difficult, most applications installation instructions simply say 'make it mode 777' and ignore the subtleties. The bottom line is that (especially on a system on which you are the only user) the security of the application itself is more important than setting a directory mode 777. The concern you have for openinig the directory to the 'world' is more applicable to a system on which there are many (untrusted) users; since the directory is mode 777, any local user can modify the contents. In that case, it is safer to set the directory to be owned by the web user and mode 755, which will allow the web software to write to the directory but will not allow other malicious local users to modify the contents. --Maplebed 04:10, 22 October 2006 (UTC)