File Permissions for Webpages

When creating webpages with your graduate or undergraduate account, you need to make sure the files have the appropriate permissions for our web server to access them.

Summary

The short version of this page is this:

  • All files in your public_html directory (and all of its subdirectories, etc.) must have global read permissions
  • Your home directory, your public_html directory, and all directories within your public_html directory must have global execute permissions
  • Your home directory, your public_html directory, your public_html/cgi-bin directory, and your public_html/cgi-bin/php-cgi script must not have group or global write permissions
  • If you're displaying directory contents without an index.html file, any affected directory will also need global read permissions.
  • Any files outside your public_html directory that the web server needs to access (e.g. password files for HTTP authentication) must have global read permissions
  • Any directories containing files that the web server needs to access must have global execute permissions

If you just want to set all of the permissions to our recommended default values, log in to one of our Linux clients and run the following commands:

chmod 0701 ~
find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +

Warning: This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading.

File Permissions and our Webserver

If you need a refresher on file permissions, please see our Unix File Permission Primer.

For most, if not all, of the files in your ~/public_html directory, the following statements are probably true:

  • You should be able to read and write the files.
  • No other person on our shared systems should be able to even read the files. (In case you have passwords or other sensitive information in there.)
  • The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.

Every personal account on our systems is a member of the users group. Our webserver runs as an account (apache) that is not a member of the users group. Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the users group more restrictive than the global permissions. That will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.

Thus, HTML files and any other files the webserver needs to access should have the following permissions:

  • user: read and write
  • group: nothing
  • other: read

The corresponding chmod invocation would be:

chmod 604 file

Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using directory indexes). Thus, the chmod invocation for directories is:

chmod 701 directory

If you're going to be doing a lot of work with HTML files, you might want to change your umask. This should set the defaults appropriately:

umask 072

NOTE: In some cases, the webserver may need to access files outside your ~/public_html directory. This generally only occurs if you've added directives to .htaccess files and those directives point at files elsewhere in your directory tree. In those cases, the webserver will need read access to those files, too. This does not apply to files accessed only by CGI or PHP programs; see the next section for those.

CGI and PHP Programs

All CGI and PHP programs run under your account, not the apache account of the webserver. In order for that to work properly, the CGI script must not be modifiable by anyone other than you. In other words, neither it, nor any of its parent directories (e.g. ~/public_html/cgi-bin, ~/public_html, your home directory, etc.) can have group or other write permissions.

PHP programs are all run via the script at ~/public_html/cgi-bin/php-cgi, so that's the only file that absolutely needs to have its write access restricted for PHP to work.

If any of the permissions on a CGI script or the php-cgi script are wrong, you'll get an "Internal Server Error" message when you try to view them from a web browser.

Since CGI and PHP programs run under your account, that means that those programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account. For such programs, you can use the following chmod invocation:

chmod 700 program

For files that are only accessed by those programs, use the same invocation, but with "600" instead of "700".

Access Control Lists

Our filesystems support Access Control Lists (ACLs). It is possible to use ACLs to selectively grant read access to the webserver's account (apache) without granting global access with the standard Unix permissions. We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems.