I had the opportunity to explore Linux file permissions recently after a hacker put malware on a client's site. Part of the damage included file and directory permissions being changed to the least secure settings.
The way to fix Linux file permissions is to go in and do it by hand through a website control panel, FTP, or Linux command line terminal. Files are set to 644 rw- r-- r--
and directories are set to 755 rwx r-x r-x
.
File Permissions Basics
When you see something like rw- r-- r--
when examining files on your website, you're seeing the permission settings.
R means permission to READ of the file: view/display contents, permissions for the world.
W means permission to WRITE to the file: modify/delete/update.
X means permission to EXECUTE the file: run scripts like PHP or Miva.
D means the item is a directory and not a normal file - this might not be displayed.
- a dash means the permission is turned off.
These letters also correspond to numbers, and if you're doing command line Unix/Linux stuff or changing permissions in a script, you'll use numbers instead.
See the last section below for more detailed information on permission groupings and how it all works if you're curious. For now, let's get on to why you're here.
Setting the Correct File Permissions
Files that your website uses (html, mvc, php, css, images, media, etc) should be set to 644
, which is the same as rw-r--r--
which is the same as saying the user can READ and WRITE the file, the group can READ the file, and the world can READ the file.
In a nutshell, it means you can modify the file but everyone else just gets to view it.
For example, in my Plesk website control panel file manager, my website file permissions are like this:
In scripting languages or older FTP clients, you would use numbers and set file permissions to 644
. In some cases, such as using the schmod(...) function in mivascript, you need to add a 0 and set the permissions to 0644
.
Setting the Correct Directory Permissions
Directories are set to 755
which corresponds to rwxr-xr-x
. In my Plesk website control panel file manager, it looks like:
The notes above for scripting languages apply here as well. Sometimes if you're setting permissions by the numbers, you need to add a 0 so 755
turns into 0755
.
Website File Permission Details Explained
This information is completely unnecessary if you just wanted to figure out the proper permissions for files and folders on your website, however read on if you're a curious person and want to know what's going on.
The permissions string is 10 characters long. The first character is a d or a - (dash) and simply tells the system if the item is a directory or not. You can disregard this when setting your permissions. For example, a directory would look like this: drwxr-xr-x
The permissions are the next nine characters and are set up in three groups of three letters each. For a normal website file it's rw-r--r--
The first three characters correspond to the USER, the next group of three correspond to the GROUP and the last group of three corresponds to the WORLD/OTHER.
USER = The owner of a file. That would be you when you FTP into your site to modify or delete or update the file.
GROUP = Members of the file's group have these permissions.
OTHER/WORLD = People, robots, search engine crawlers, anything that visits your site.
Example for 644
, or, rw-r--r--
- USER permissions are
rw-
(read/write), - GROUP permissions are
r--
(read) - WORLD/OTHER permissions are
r--
(read).
Only you get to modify the files. Everyone else gets to view them. PHP and other scripts normally do not need to be executable (r-x
) because most servers are set up in a way that let's them "read" the file internally and just display the output so the site visitor will never see your script source code. This wasn't always the case, but it's the 21st century and things like this are pretty much automatic in a good server setup.
Unix File Permissions Reference
File Permission Character Code Reference:
--- no permission
--x execute
-w- write
-wx write and execute
r-- read
r-x read and execute
rw- read and write
rwx read, write and execute
Numbers/Characters Reference:
0 --- no permission
1 --x execute
2 -w- write
3 -wx write and execute
4 r-- read
5 r-x read and execute
6 rw- read and write
7 rwx read, write and execute
Now you can see how 644
(read and write/read/read) permissions translate into the letters:
6 = rw-
4 = r--
4 = r--
Result:
rw-r--r--
Changing Permissions in Linux/Unix
If you want to go old school and bypass your FTP client or website control panel file manager, you can change the permissions on the command line. Open an SSH terminal, get into your system, and navigate to the the file or directory you want to change permissions for.
To change file permissions to 644 on a file such as about.html, you would enter:
chmod 644 about.html
If you want to change permissions on all files in a directory such as sitefiles/ in one go, you would enter:
chmod -R sitefiles/
Note: after this process you'll want to change the directory permissions back to 755 by entering:
chmod 755 sitefiles/
Disclaimer and Resources
Please understand that setting 644 for file permissions and 755 for directory permissions is considered standard but like everything else, there are certain cases where you might want to set these permissions differently. The scope of this article is only for the most basic, simple settings. For more detailed or technical info, take a look at:
Stack Overflow Search Results
for advanced file permissions
Understanding File Permissions on Elated.com
New User Tutorial: Basic File Permissions from the liquidweb knowledge base
An Introduction to Linux Permissions by Mitchell Anicas on DigitalOcean.com