Difference between revisions of "File Permissions for Webpages"

Latest revision as of 16:29, 2 February 2022

When creating webpages with your graduate or undergraduate account, you need to make sure the files have the appropriate permissions for our web server to access them.

Summary

The short version of this page is this:

All files in your public_html directory (and all of its subdirectories, etc.) must have global read permissions
Your home directory, your public_html directory, and all directories within your public_html directory must have global execute permissions
Your home directory, your public_html directory, your public_html/cgi-bin directory, and your public_html/cgi-bin/php-cgi script must not have group or global write permissions
If you're displaying directory contents without an index.html file, any affected directory will also need global read permissions.
Any files outside your public_html directory that the web server needs to access (e.g. password files for HTTP authentication) must have global read permissions
Any directories containing files that the web server needs to access must have global execute permissions

If you just want to set all of the permissions to our recommended default values, log in to one of our Linux clients and run the following commands:

chmod 0701 ~
find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +

Warning: This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading.

File Permissions and our Webserver

If you need a refresher on file permissions, please see our Unix File Permission Primer.

For most, if not all, of the files in your ~/public_html directory, the following statements are probably true:

You should be able to read and write the files.
No other person on our shared systems should be able to even read the files. (In case you have passwords or other sensitive information in there.)
The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.

Every personal account on our systems is a member of the users group. Our webserver runs as an account (apache) that is not a member of the users group. Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the users group more restrictive than the global permissions. That will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.

Thus, HTML files any any other files the webserver needs to access should have the following permissions:

user: read and write
group: nothing
other: read

The corresponding chmod invocation would be:

chmod 604 file

Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using directory indexes). Thus, the chmod invocation for directories is:

chmod 701 directory

If you're going to be doing a lot of work with HTML files, you might want to change your umask. This should set the defaults appropriately:

umask 072

NOTE: In some cases, the webserver may need to access files outside your ~/public_html directory. This generally only occurs if you've added directives to .htaccess files and those directives point at files elsewhere in your directory tree. In those cases, the webserver will need read access to those files, too. This does not apply to files accessed only by CGI or PHP programs; see the next section for those.

CGI and PHP Programs

All CGI and PHP programs run under your account, not the apache account of the webserver. In order for that to work properly, the CGI script must not be modifiable by anyone other than you. In other words, neither it, nor any of its parent directories (e.g. ~/public_html/cgi-bin, ~/public_html, your home directory, etc.) can have group or other write permissions.

PHP programs are all run via the script at ~/public_html/cgi-bin/php-cgi, so that's the only file that absolutely needs to have its write access restricted for PHP to work.

If any of the permissions on a CGI script or the php-cgi script are wrong, you'll get an "Internal Server Error" message when you try to view them from a web browser.

Since CGI and PHP programs run under your account, that means that those programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account. For such programs, you can use the following chmod invocation:

chmod 700 program

For files that are only accessed by those programs, use the same invocation, but with "600" instead of "700".

Access Control Lists

Our filesystems support Access Control Lists (ACLs). It is possible to use ACLs to selectively grant read access to the webserver's account (apache) without granting global access with the standard Unix permissions. We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems.

@@ Line 3: / Line 3: @@
 == Summary ==
-The short version of this page is this:  All files in your <tt>public_html</tt> directory (and all of its subdirectories, etc.) must have global read permissions; and your home directory, your <tt>public_html</tt> directory, and all directories within your <tt>public_html</tt> directory must have global execute permissions.  (If you're [[Displaying Directory Contents In A CS Webpage|displaying directory contents without an index.html file]], any affected directory will also need global read permissions.)
+The short version of this page is this:
+* '''All files''' in your <code>public_html</code> directory (and all of its subdirectories, etc.) '''must have''' global ''read'' permissions
+* Your home directory, your <code>public_html</code> directory, and all directories within your <code>public_html</code> directory '''must have''' global ''execute'' permissions
+* Your home directory, your <code>public_html</code> directory, your <code>public_html/cgi-bin</code> directory, and your <code>public_html/cgi-bin/php-cgi</code> script '''must not''' have group or global ''write'' permissions
+* If you're [[Displaying Directory Contents In A CS Webpage|displaying directory contents without an index.html file]], any affected directory will also need global ''read'' permissions.
+* Any files outside your <code>public_html</code> directory that the web server needs to access (e.g. ''password files for HTTP authentication'') '''must have''' global ''read'' permissions
+* Any directories containing files that the web server needs to access '''must have''' global ''execute'' permissions
 If you just want to set all of the permissions to our recommended default values, log in to one of our [[:Category:Linux Clients|Linux clients]] and run the following commands:
@@ Line 10: / Line 17: @@
   find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
   find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +
-<!-- NOTE: The final `find` invocation above can use "0700" on the grad net, since we use per-account CGI execution. -->
+<!--NOTE: The final <code>find</code> invocation above can use "<code>0700</code>" on the grad net, since we use per-account CGI execution.  See the [[#CGI and PHP Programs on www.cs.jhu.edu|CGI and PHP programs]] section below for more information.
+-->
 '''Warning''': This has the potential to break things if you're doing anything more complex than serving simple HTML files.  For more information on our setup, please keep reading.
-== A Brief Refresher on Unix File Permissions ==
+== File Permissions and our Webserver ==
-If you're already familiar with Unix permissions, feel free to skip to the next section.
-In Unix, every file belongs to one account and one group.  Each file has three sets of permissions: one for its owning account (often shortened to "u", for ''u''ser), one for its group ("g"), and one for everyone else ("o", for ''o''ther).  The permissions are ''r''ead, ''w''rite, and e''x''ecute.
-Read permissions allow you to access the contents of a file or see what's in a directory.  Write permissions allow you to change a file or add and remove files from a directory.  Execute permissions on a file let you run it as a program.  Execute permissions on a directory let you (try to) access the files in the directory.  Note that this means that in order to access a file, you must have read permission on the file ''and'' execute permission on the directory containing the file (and the directory containing that directory, and so on).
-When the system checks permissions on a file (or directory), it first checks to see if you're the owner of the file; if so, it uses the account permissions.  Otherwise, it checks to see if you're a member of the file's group; if so, it uses the group permissions.  Otherwise, it uses the global permissions.
+If you need a refresher on file permissions, please see our [[Unix File Permission Primer]].
-The <tt>chmod</tt> program is used to change permissions on a file or directory.  Its invocation looks roughly like this:
- chmod ''permissions'' ''file'' [''file'' ...]
-The "''permissions''" parameter can either be an octal number (which is out of scope for this refresher) or a symbolic statement using "u", "g", and "o" for the permission set; "+" or "-" for adding or removing permissions, respectively; and "r", "w", and "x" for the permissions themselves.  Multiple sets of permissions are separated by commas.  For example, to add execute permission for a file owner while removing all access to "others", you would run <code>chmod u+x,o-rwx ''file''</code>.
-== File Permissions and our Webserver ==
 For most, if not all, of the files in your <tt>~/public_html</tt> directory, the following statements are probably true:
@@ Line 38: / Line 32: @@
 * The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.
-Every personal account on our systems is a member of the <tt>users</tt> group.  Our webserver runs as an account (<tt>apache</tt>) that is ''not'' a member of the <tt>users</tt> group.  Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the <tt>users</tt> group ''more'' restrictive than the global permissions, and that will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.
+Every personal account on our systems is a member of the <tt>users</tt> group.  Our webserver runs as an account (<tt>apache</tt>) that is ''not'' a member of the <tt>users</tt> group.  Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the <tt>users</tt> group ''more'' restrictive than the global permissions.  That will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.
-Thus, HTML files for the webserver should have the following permissions:
+Thus, HTML files any any other files the webserver needs to access should have the following permissions:
-* '''u'''ser: read and write
+* user: read and write
-* '''g'''roup: nothing
+* group: nothing
-* '''o'''ther: read
+* other: read
 The corresponding <tt>chmod</tt> invocation would be:
-  chmod u+rw,g-rwx,o+r ''file''
+  chmod 604 ''file''
 Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using [[Displaying Directory Contents In A CS Webpage|directory indexes]]).  Thus, the <tt>chmod</tt> invocation for directories is:
-  chmod u+rwx,g-rwx,o+x ''directory''
+  chmod 701 ''directory''
+If you're going to be doing a lot of work with HTML files, you might want to change your [[Unix File Permission Primer#Default Permissions|umask]].  This should set the defaults appropriately:
+ umask 072
+'''NOTE''': In some cases, the webserver may need to access files outside your <code>~/public_html</code> directory.  This generally only occurs if you've added directives to <code>.htaccess</code> files and those directives point at files elsewhere in your directory tree.  In those cases, the webserver will need read access to those files, too.  This does ''not'' apply to files accessed only by CGI or PHP programs; see the next section for those.
-<!--
 == CGI and PHP Programs ==
-On the main CS webserver (www.cs.jhu.edu), all CGI and PHP programs run under your account, ''not'' the <tt>apache</tt> account of the webserver.  This means that CGI and PHP programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account.  For such programs (and the directories containing them), you can use the following <tt>chmod</tt> invocation:
+All CGI and PHP programs run under your account, ''not'' the <code>apache</code> account of the webserver.  In order for that to work properly, the CGI script must not be modifiable by anyone other than you.  In other words, neither it, nor any of its parent directories (e.g. <code>~/public_html/cgi-bin</code>, <code>~/public_html</code>, your home directory, etc.) can have group or other write permissions.
- chmod u+rwx,g-rwx,o-rwx ''program''
+PHP programs are all run via the script at <code>~/public_html/cgi-bin/php-cgi</code>, so that's the only file that absolutely needs to have its write access restricted for PHP to work.
-For files that are only accessed by those programs, use the same invocation, but with "<tt>u+rw</tt>" instead of "<tt>u+rwx</tt>".
+If any of the permissions on a CGI script or the <code>php-cgi</code> script are wrong, you'll get an "Internal Server Error" message when you try to view them from a web browser.
--->
+Since CGI and PHP programs run under your account, that means that those programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account.  For such programs, you can use the following <code>chmod</code> invocation:
+ chmod 700 ''program''
+For files that are only accessed by those programs, use the same invocation, but with "<code>600</code>" instead of "<code>700</code>".
-<!--
 == Access Control Lists ==
-Our filesystems support POSIX Access Control Lists (ACLs).  It is possible to use ACLs to selectively grant read access to the webserver's account (<tt>apache</tt>) without granting global access with the standard Unix permissions.  We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems.
+Our filesystems support [[Unix File Permission Primer#Access Control Lists|Access Control Lists]] (ACLs).  It is possible to use ACLs to selectively grant read access to the webserver's account (<tt>apache</tt>) without granting global access with the standard Unix permissions.  We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems.
--->
 [[Category:Webpages and Webservices]]

search

navigation