Jump to content
Larry Ullman's Book Forums
Sign in to follow this  
Edward

Assets And Runtime File Permissions

Recommended Posts

I guess we can just see how things run when our sites are up and then if we experience any security problems we can harden up on the site or server security at that point in time.

Share this post


Link to post
Share on other sites

I believe you are misunderstanding how permissions are used in *nix systems.  Setting the permission 6 (or rw) is not good in general on a directory.  You want 5 or 7.  So 755 or 775 or 777 are the most common ones.  Why?

 

 

  • The read permission grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory, but not to find out any further information about them such as contents, file type, size, ownership, permissions.
  • The write permission grants the ability to modify a file. When set for a directory, this permission grants the ability to modify[clarify] entries[clarify]in the directory. This includes creating files, deleting files, and renaming files.
  • The execute permission grants the ability to execute a file. This permission must be set for executable programs, including shell scripts, in order to allow the operating system to run them. When set for a directory, this permission grants the ability to access file contents and meta-information if its name is known, but not list files inside the directory, unless read is set also.

 

 

This is taken from Wikipedia. There are numerous other sources available.

 

Something else you may want to look at is the Umask being set.  That controls the default permissions of new directories/files when they are created.  This is usually set in ~/.bashrc as

umask 022  # default files permissions are 644 and for directories, 755

or

umask 027  # default files permissions are 640 and for directories 750

 

Finally, the last thing to check is in the Yii Framework itself in ./framework/web/CAssetManager.php. There are two settings there that determine how files and directories are created.

public $newFileMode=0666;

public $newDirMode=0777;

 

I changed these to be 0664 and 0775, respectively for more security on the machine.

 

Hope that helps.

Share this post


Link to post
Share on other sites

Hope its not too late to chime in here.  There have been some good points raised in regards to file permissions, however you also need to look at the group and owner of your directories and files (which hasn't been mentioned yet).

 

If your site was uploaded via ftp/scp etc to your home directory, and then copied using sudo to your /var/www folder, then chances are the files and folders are now owned by root.

 

For apache to run your site, you need appropriate permissions (755 etc), but you also need the right owner and group.  Apache runs under www-data, so your files and folders should also be www-data.  To make this change for all folders and files in your website, use the following command.

sudo chown -R www-data:www-data /var/www/myWebsite

The -R means to recursivily to files and sub-directories etc.  I have changed the owner and group at the same time, however you can do them separately if necessary.

sudo chown -R www-data /var/www/myWebsite
sudo chgrp -R www-data /var/www/myWebsite
  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...