Pre-configure Web-package

Pre-configure Web-package

README

Before the installation or any web-package that you will use in a public web server, you need to be sure that your files/folders in the package have the properly permissions according to the “Linux Security Laws”; first you should know that all folders in an UNIX file system should have 0755 octal permission and the files 0644.

Most current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the filesystem.

Permissions on Unix-like systems are managed in three distinct classes: Owner, Owner’s group and Other users. These classes are known as user, group, and others. In effect, Unix permissions are a simplified form of access control lists (ACLs). When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it.

Extracted from Wikipedia: http://en.wikipedia.org/wiki/Filesystem_permissions

There are three specific permissions on Unix-like systems that apply to each class:

  • The read permission, which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them such as contents, file type, size, ownership, permissions, etc.)
  • The write permission, which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.
  • The execute permission, which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled C++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to access file contents and metainfo if its name is known, but not list files inside the directory (unless read is set).

Pre-configure Web-package

Explanation

Octal notation is another common method for representing Unix permissions; it consists of a three or four-digit base-8 value with three-digit octal notation, each numeral represents a different component of the permission set: user class, group class, and “others” class respectively; each of these digits is the sum of its component bits:

Permissions:
    4 => (r) Read permission
    2 => (w) Write permission
    1 => (x) Execution permission
Folder: 0755
    7 ( r + w + x ) for the owner
    5 ( r + x )     for the owner group
    5 ( r + x )     for the other users (like www-data or nobody)
File: 0644
    6 ( r + w ) for the owner
    4 ( r )     for the owner group
    4 ( r )     for the other users (like www-data or nobody)
*** Note: The first number in the octal permission format correspond to the SUID access.

To see what permissions are granted for a directory of a file, just execute the command ls through a terminal in any UNIX like-system and append it the parameter -l (additionally you can add more parameters like -lha to see hidden folders/files and file-size in human form):

$ ls -lhas /home/cixtor
total 2.1M
4.0K drwxr-xr-x 52 cixtor cixtor 4.0K Sep 18 07:43 .
4.0K drwxr-xr-x  5 root   root   4.0K Sep  3 20:44 ..
 16K -rw-------  1 cixtor cixtor  16K Sep 18 07:42 .ICEauthority
   0 -rw-------  1 cixtor cixtor    0 Sep  3 09:49 .Xauthority
 48K -rw-------  1 cixtor cixtor  41K Sep 18 00:53 .bash_history
4.0K -rw-r--r--  1 cixtor cixtor  220 Sep  3 08:20 .bash_logout
4.0K -rw-r--r--  1 cixtor cixtor 3.3K Sep  6 08:19 .bashrc
4.0K drwxr-xr-x 20 cixtor cixtor 4.0K Sep 11 12:47 .config
4.0K drwx------  3 cixtor cixtor 4.0K Sep  3 08:21 .dbus
4.0K -rw-r--r--  1 cixtor cixtor   32 Sep 18 07:42 .dmrc
4.0K -rw-------  1 cixtor cixtor   16 Sep  3 08:21 .esd_auth
 12K -rw-r--r--  1 cixtor cixtor  12K Sep  6 22:36 .face
4.0K drwx------  4 cixtor cixtor 4.0K Sep 18 07:42 .gconf
4.0K drwx------  2 cixtor cixtor 4.0K Sep 18 07:46 .gconfd
4.0K drwx------  4 cixtor cixtor 4.0K Sep  4 13:23 .gegl-0.0
   0 lrwxrwxrwx  1 cixtor cixtor   16 Sep  3 21:23 .gem -> /home/system/gem
...

As you can see, the list command with the parameter -lhas display information not only for permissions but date-time, file-size, owner/owner group and maybe the SUID assignation; in my output I got two initial folders identified by one and two dots as their names representing the current directory and the parent directory respectively and various hidden folders/files identified by a named presided by a single dot (use CTRL + H in nautilus to see them graphically).

Commands

To prevent security vulnerabilities in the installation of a web-package you should grant 0755 permissions to all folders in the wrapper directory and 0644 permissions to files (including hidden files), and manually/individually grant extra privileges to specific folders/files like 0777 for an upload directory for example.

Just execute this command to search all the Directories and Files in the specified path, each result will be send it to the command chmod as a parameter to change the permissions.

$ find web_package_path -type d -print0 | xargs -0 chmod 755
$ find web_package_path -type f -print0 | xargs -0 chmod 644
Do you have a project idea? Let's make it together!