Feb
21st

Those Annoying Website Permissions

Filed under The Server Room | Posted by Gary

This little ‘lesson’ is going to be partly a rant … but mostly just good information. The rant is directed at hosting companies that don’t enforce strict and consistent file ownership in their web server configurations. Not only are you doing your customers a disservice, but you also are the cause of so many scripts having to have some directories and files set to be world writable. That in and of itself isn’t necessarily a high risk, but it is completely unnecessary on a properly configured server.

Now that I’ve had my rant, lets look at how permissions work and why many hosting servers are improperly configured.

When a CPanel account is created, almost every file below the home directory of that account is ‘owned’ by the username of the account. This makes sense obviously, because as the owner of the web site that is associated with your CPanel account, you should have permission to add, edit and delete files. So, given that you are the ‘owner’ of the files in your CPanel account, why is it that you have to set files and directories to be writable by ‘everyone else’ in order for some scripts to function properly?

This has to do with how Apache is running on the server and, more importantly, WHO it is running as. A properly configured Apache server will be set to run in such a way that when it is displaying files from your web site it will be running as the ‘owner’ of your web site. This is why Apache allows you to set a ‘User’ and ‘Group’ for each vhost account … so that it can run with the correct permissions for each vhost.

The problem is that some web hsoting companies run their Apache server as the ‘nobody’ user. This doesn’t have an affect on your pages being displayed, but it means that if you are using a script that needs to update any files on your website, it just isn’t going to happen unless the files are set to be ‘world writable’. This is why you are sometimes instructed to set the ‘permissions’ to ‘666’ or ‘777’. That allows the ‘nobody’ user that Apache is running as to modify your files which are owned by your CPanel account.

Clear as mud? I hope not … but if you want to learn some more about Unix file permissions there’s a good guide at  http://www.hackinglinuxexposed.com/articles/20030417.html

You must be logged in to post a comment.