Before the installation or any web-package that you will use in a public web server, you need to be sure that your files/folders in the package have the properly permissions according to the “Linux Security Laws”; first you should know that all folders in an UNIX file system should have
0755 octal permission and the files
Most current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the filesystem.
Permissions on Unix-like systems are managed in three distinct classes: Owner, Owner’s group and Other users. These classes are known as user, group, and others. In effect, Unix permissions are a simplified form of access control lists (ACLs). When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it.
Extracted from Wikipedia: http://en.wikipedia.org/wiki/Filesystem_permissions
There are three specific permissions on Unix-like systems that apply to each class:
- The read permission, which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them such as contents, file type, size, ownership, permissions, etc.)
- The write permission, which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.
- The execute permission, which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled C++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to access file contents and metainfo if its name is known, but not list files inside the directory (unless read is set).
Octal notation is another common method for representing Unix permissions; it consists of a three or four-digit base-8 value with three-digit octal notation, each numeral represents a different component of the permission set: user class, group class, and “others” class respectively; each of these digits is the sum of its component bits:
Permissions: 4 => (r) Read permission 2 => (w) Write permission 1 => (x) Execution permission Folder: 0755 7 ( r + w + x ) for the owner 5 ( r + x ) for the owner group 5 ( r + x ) for the other users (like www-data or nobody) File: 0644 6 ( r + w ) for the owner 4 ( r ) for the owner group 4 ( r ) for the other users (like www-data or nobody) *** Note: The first number in the octal permission format correspond to the SUID access.
To see what permissions are granted for a directory of a file, just execute the command
ls through a terminal in any UNIX like-system and append it the parameter
-l (additionally you can add more parameters like
-lha to see hidden folders/files and file-size in human form):
$ ls -lhas /home/cixtor total 2.1M 4.0K drwxr-xr-x 52 cixtor cixtor 4.0K Sep 18 07:43 . 4.0K drwxr-xr-x 5 root root 4.0K Sep 3 20:44 .. 16K -rw------- 1 cixtor cixtor 16K Sep 18 07:42 .ICEauthority 0 -rw------- 1 cixtor cixtor 0 Sep 3 09:49 .Xauthority 48K -rw------- 1 cixtor cixtor 41K Sep 18 00:53 .bash_history 4.0K -rw-r--r-- 1 cixtor cixtor 220 Sep 3 08:20 .bash_logout 4.0K -rw-r--r-- 1 cixtor cixtor 3.3K Sep 6 08:19 .bashrc 4.0K drwxr-xr-x 20 cixtor cixtor 4.0K Sep 11 12:47 .config 4.0K drwx------ 3 cixtor cixtor 4.0K Sep 3 08:21 .dbus 4.0K -rw-r--r-- 1 cixtor cixtor 32 Sep 18 07:42 .dmrc 4.0K -rw------- 1 cixtor cixtor 16 Sep 3 08:21 .esd_auth 12K -rw-r--r-- 1 cixtor cixtor 12K Sep 6 22:36 .face 4.0K drwx------ 4 cixtor cixtor 4.0K Sep 18 07:42 .gconf 4.0K drwx------ 2 cixtor cixtor 4.0K Sep 18 07:46 .gconfd 4.0K drwx------ 4 cixtor cixtor 4.0K Sep 4 13:23 .gegl-0.0 0 lrwxrwxrwx 1 cixtor cixtor 16 Sep 3 21:23 .gem -> /home/system/gem ...
As you can see, the list command with the parameter -lhas display information not only for permissions but date-time, file-size, owner/owner group and maybe the SUID assignation; in my output I got two initial folders identified by one and two dots as their names representing the current directory and the parent directory respectively and various hidden folders/files identified by a named presided by a single dot (use
CTRL + H in nautilus to see them graphically).
To prevent security vulnerabilities in the installation of a web-package you should grant
0755 permissions to all folders in the wrapper directory and
0644 permissions to files (including hidden files), and manually/individually grant extra privileges to specific folders/files like
0777 for an upload directory for example.
Just execute this command to search all the
Files in the specified path, each result will be send it to the command
chmod as a parameter to change the permissions.
$ find web_package_path -type d -print0 | xargs -0 chmod 755 $ find web_package_path -type f -print0 | xargs -0 chmod 644