Difference between revisions of "File Permissions for Webpages"
(Add umask stuff.) |
(Pull file permission stuff out into a separate file.) |
||
Line 14: | Line 14: | ||
'''Warning''': This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading. | '''Warning''': This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading. | ||
− | == | + | == File Permissions and our Webserver == |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | If you need a refresher on file permissions, please see our [[Unix File Permission Primer]]. | |
For most, if not all, of the files in your <tt>~/public_html</tt> directory, the following statements are probably true: | For most, if not all, of the files in your <tt>~/public_html</tt> directory, the following statements are probably true: | ||
Line 44: | Line 28: | ||
Thus, HTML files for the webserver should have the following permissions: | Thus, HTML files for the webserver should have the following permissions: | ||
− | * | + | * user: read and write |
− | * | + | * group: nothing |
− | * | + | * other: read |
The corresponding <tt>chmod</tt> invocation would be: | The corresponding <tt>chmod</tt> invocation would be: | ||
− | chmod | + | chmod 604 ''file'' |
Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using [[Displaying Directory Contents In A CS Webpage|directory indexes]]). Thus, the <tt>chmod</tt> invocation for directories is: | Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using [[Displaying Directory Contents In A CS Webpage|directory indexes]]). Thus, the <tt>chmod</tt> invocation for directories is: | ||
− | chmod | + | chmod 701 ''directory'' |
If you're going to be doing a lot of work with HTML files, you might want to change your umask. This should set the defaults appropriately: | If you're going to be doing a lot of work with HTML files, you might want to change your umask. This should set the defaults appropriately: | ||
− | umask | + | umask 072 |
<!-- | <!-- | ||
Line 65: | Line 49: | ||
On the main CS webserver (www.cs.jhu.edu), all CGI and PHP programs run under your account, ''not'' the <tt>apache</tt> account of the webserver. This means that CGI and PHP programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account. For such programs (and the directories containing them), you can use the following <tt>chmod</tt> invocation: | On the main CS webserver (www.cs.jhu.edu), all CGI and PHP programs run under your account, ''not'' the <tt>apache</tt> account of the webserver. This means that CGI and PHP programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account. For such programs (and the directories containing them), you can use the following <tt>chmod</tt> invocation: | ||
− | chmod | + | chmod 700 ''program'' |
For files that are only accessed by those programs, use the same invocation, but with "<tt>u+rw</tt>" instead of "<tt>u+rwx</tt>". | For files that are only accessed by those programs, use the same invocation, but with "<tt>u+rw</tt>" instead of "<tt>u+rwx</tt>". | ||
+ | |||
--> | --> | ||
− | |||
− | |||
== Access Control Lists == | == Access Control Lists == | ||
− | Our filesystems support | + | Our filesystems support Access Control Lists (ACLs). It is possible to use ACLs to selectively grant read access to the webserver's account (<tt>apache</tt>) without granting global access with the standard Unix permissions. We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems. |
− | |||
[[Category:Webpages and Webservices]] | [[Category:Webpages and Webservices]] |
Revision as of 20:35, 13 September 2016
When creating webpages with your graduate or undergraduate account, you need to make sure the files have the appropriate permissions for our web server to access them.
Summary
The short version of this page is this: All files in your public_html directory (and all of its subdirectories, etc.) must have global read permissions; and your home directory, your public_html directory, and all directories within your public_html directory must have global execute permissions. (If you're displaying directory contents without an index.html file, any affected directory will also need global read permissions.)
If you just want to set all of the permissions to our recommended default values, log in to one of our Linux clients and run the following commands:
chmod 0701 ~ find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \) find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +
Warning: This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading.
File Permissions and our Webserver
If you need a refresher on file permissions, please see our Unix File Permission Primer.
For most, if not all, of the files in your ~/public_html directory, the following statements are probably true:
- You should be able to read and write the files.
- No other person on our shared systems should be able to even read the files. (In case you have passwords or other sensitive information in there.)
- The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.
Every personal account on our systems is a member of the users group. Our webserver runs as an account (apache) that is not a member of the users group. Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the users group more restrictive than the global permissions, and that will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.
Thus, HTML files for the webserver should have the following permissions:
- user: read and write
- group: nothing
- other: read
The corresponding chmod invocation would be:
chmod 604 file
Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using directory indexes). Thus, the chmod invocation for directories is:
chmod 701 directory
If you're going to be doing a lot of work with HTML files, you might want to change your umask. This should set the defaults appropriately:
umask 072
Access Control Lists
Our filesystems support Access Control Lists (ACLs). It is possible to use ACLs to selectively grant read access to the webserver's account (apache) without granting global access with the standard Unix permissions. We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems.