What permissions for PHP scripts/directories?

Question

I am trying to help a friend moving a web-site from one web-hotel to another. The old place is already closed, I have only a flat tar file of what was in it.

The we

Answer 1

All the PHP files which are intended to be addressed directly via URLs can happily reside in the same directories as the static content (this is the usual practice).

It is good practice to have at least one directory outside those visible from the webserver to hold include files, but the PHP include path should still include '.'.

I'd recommend not putting lots of non-standard directories in your root filesystem - the default webroot varies by distribution, but I usually go with something like:

/var/www/htdocs - as the document root /usr/local/php - for include files

Obviously if you intend running your webserver chrrot, these should be mapped accordingly.

All files must be readable by the uid under which the webserver runs, however if you can restrict what is writeable by this uid as much as possible then you close off a potential attack vector.

I usually go with setting up my dirs as drwxrwSr-x owned by a member of a webdev group with the group ownership as the webdev team, (the httpd uid is not in the webdev group) and files are therefore -rw-rw-r-- So anyone in the webdex group can change files, and the httpd uid can only read files.

1) does the files-extension (.php) means something to the server:

Yes - go read the PHP installation guide.

C.

Answer 2

I've coded a function to address the permissions issues in both of PHP / SuPHP and similar:

function realChmod($path, $chmod = null)
{
    if (file_exists($path) === true)
    {
        if (is_null($chmod) === true)
        {
            $chmod = (is_file($path) === true) ? 644 : 755;

            if (in_array(get_current_user(), array('apache', 'httpd', 'nobody', 'system', 'webdaemon', 'www', 'www-data')) === true)
            {
                $chmod += 22;
            }
        }

        return chmod($path, octdec(intval($chmod)));
    }

    return false;
}

Maybe it's useful for you.

Answer 3

Set php files to 640

For maximum security you should set minimum permissions, which is 640.

• The owner 6 would be the one uploading the files.
• The group 4 would be the one serving the file. Make apache a group member.
• The nobody 0 means no other users can read this file. It's important since php scripts sometimes have passwords and other sensitive data.

Never allow php scripts to be read by everyone.

Useful commands:

chmod 640 file.php
chown user:group file.php
usermod -a -G group apache

What these commands are doing:

1. Change ownership of file.php so user can read and write, group read.
2. Change ownership of file.php, to chosen user name and group name.
3. Add apache to the group, so that apache can serve the file. Otherwise 640 will not work.

Answer 4

Directories must have execute permissions to be usable. Usually this is 0755. PHP scripts run via mod_php are not executed but rather read; 0644 will suffice for this. Directories that must be written to need to be owned by the user the web server is running as. There may be additional concerns regarding permissions, e.g. SELinux, but the above will get you through the basics.

Documents that must not be accessed by other users or external clients should be 0600, owned by the web server user, and located outside the DocumentRoot. Note that running mod_php in Safe Mode will prevent scripts from ever including anything outside the DocumentRoot; a lamentable flaw.

Answer 5

Assuming your SFTP/FTP user is johndoe and web server group is www-data. johndoe only read, write the files but not execute the files (in my case never). The web server software usually Apache/Nginx from the group www-data can read/write/execute the files. Other users? what are they doing here??? So, I used to set 0670 (rw-rwx---) and works for me always :)

Answer 6

1) Files that end with a .php extension are handed off to the PHP compiler by Apache. If the proper configuration is not set up to do so, PHP files get served up as text files by the server. The Apache configuration line "AddHandler php5-script php" in the httpd.conf file is the PHP5 method of setting this up.

2) register.php needs to be accessible at http://www.example.com/php/register.php, as the java app is looking for it, so in the Apache htdocs folder, there needs to be a "php" folder with the register.php file in it.

3) PHP files need read access by the user that's running the Apache service. Using PHP as an Apache module has no 'service' to speak of that's separate for PHP. Instead the Apache service, when it gets a request for a PHP file, makes a shell call to the PHP binary to parse the file and hand the Apache service the result, which it serves to the client. Only if you were using PHP from the command line (CLI setup) would the scripts need execute permission, and start with a #!/path/to/php-bin line.

4) The requested file (register.php) needs to be in htdocs in order to be served by Apache. If PHP is running with "Safe Mode" disabled, register.php could include a file that was outside the htdocs folder.

5) The path "../inc/db_login.php" is relative to the PHP script that was originally fetched (register.php), so, since register.php is in htdocs/php/register.php, that would put db_login.php at htdocs/inc/db_login.php.