Difference between revisions of "File Permissions for Webpages"

 
(15 intermediate revisions by 3 users not shown)
Line 5: Line 5:
 
The short version of this page is this:
 
The short version of this page is this:
  
::'''All files''' in your <tt>public_html</tt> directory (and all of its subdirectories, etc.) '''must have''' global ''read'' permissions; and your home directory, your <tt>public_html</tt> directory, and all directories within your <tt>public_html</tt> directory '''must have''' global ''execute'' permissions.
+
* '''All files''' in your <code>public_html</code> directory (and all of its subdirectories, etc.) '''must have''' global ''read'' permissions
 
+
* Your home directory, your <code>public_html</code> directory, and all directories within your <code>public_html</code> directory '''must have''' global ''execute'' permissions
::(If you're [[Displaying Directory Contents In A CS Webpage|displaying directory contents without an index.html file]], any affected directory will also need global ''read'' permissions.)
+
* Your home directory, your <code>public_html</code> directory, your <code>public_html/cgi-bin</code> directory, and your <code>public_html/cgi-bin/php-cgi</code> script '''must not''' have group or global ''write'' permissions
 +
* If you're [[Displaying Directory Contents In A CS Webpage|displaying directory contents without an index.html file]], any affected directory will also need global ''read'' permissions.
 +
* Any files outside your <code>public_html</code> directory that the web server needs to access (e.g. ''password files for HTTP authentication'') '''must have''' global ''read'' permissions
 +
* Any directories containing files that the web server needs to access '''must have''' global ''execute'' permissions
  
 
If you just want to set all of the permissions to our recommended default values, log in to one of our [[:Category:Linux Clients|Linux clients]] and run the following commands:
 
If you just want to set all of the permissions to our recommended default values, log in to one of our [[:Category:Linux Clients|Linux clients]] and run the following commands:
Line 14: Line 17:
 
  find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
 
  find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
 
  find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +
 
  find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +
<!-- NOTE: The final `find` invocation above can use "0700" on the grad net, since we use per-account CGI execution. -->
 
  
 +
<!--NOTE: The final <code>find</code> invocation above can use "<code>0700</code>" on the grad net, since we use per-account CGI execution.  See the [[#CGI and PHP Programs on www.cs.jhu.edu|CGI and PHP programs]] section below for more information.
 +
-->
 
'''Warning''': This has the potential to break things if you're doing anything more complex than serving simple HTML files.  For more information on our setup, please keep reading.
 
'''Warning''': This has the potential to break things if you're doing anything more complex than serving simple HTML files.  For more information on our setup, please keep reading.
  
Line 28: Line 32:
 
* The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.
 
* The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.
  
Every personal account on our systems is a member of the <tt>users</tt> group.  Our webserver runs as an account (<tt>apache</tt>) that is ''not'' a member of the <tt>users</tt> group.  Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the <tt>users</tt> group ''more'' restrictive than the global permissions, and that will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.
+
Every personal account on our systems is a member of the <tt>users</tt> group.  Our webserver runs as an account (<tt>apache</tt>) that is ''not'' a member of the <tt>users</tt> group.  Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the <tt>users</tt> group ''more'' restrictive than the global permissions.  That will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.
  
Thus, HTML files for the webserver should have the following permissions:
+
Thus, HTML files any any other files the webserver needs to access should have the following permissions:
  
 
* user: read and write
 
* user: read and write
Line 44: Line 48:
 
  chmod 701 ''directory''
 
  chmod 701 ''directory''
  
If you're going to be doing a lot of work with HTML files, you might want to change your umask.  This should set the defaults appropriately:
+
If you're going to be doing a lot of work with HTML files, you might want to change your [[Unix File Permission Primer#Default Permissions|umask]].  This should set the defaults appropriately:
  
 
  umask 072
 
  umask 072
  
<!--
+
'''NOTE''': In some cases, the webserver may need to access files outside your <code>~/public_html</code> directory.  This generally only occurs if you've added directives to <code>.htaccess</code> files and those directives point at files elsewhere in your directory tree.  In those cases, the webserver will need read access to those files, too.  This does ''not'' apply to files accessed only by CGI or PHP programs; see the next section for those.
 +
 
 
== CGI and PHP Programs ==
 
== CGI and PHP Programs ==
  
On the main CS webserver (www.cs.jhu.edu), all CGI and PHP programs run under your account, ''not'' the <tt>apache</tt> account of the webserver.  This means that CGI and PHP programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account.  For such programs (and the directories containing them), you can use the following <tt>chmod</tt> invocation:
+
All CGI and PHP programs run under your account, ''not'' the <code>apache</code> account of the webserver.  In order for that to work properly, the CGI script must not be modifiable by anyone other than you.  In other words, neither it, nor any of its parent directories (e.g. <code>~/public_html/cgi-bin</code>, <code>~/public_html</code>, your home directory, etc.) can have group or other write permissions.
 +
 
 +
PHP programs are all run via the script at <code>~/public_html/cgi-bin/php-cgi</code>, so that's the only file that absolutely needs to have its write access restricted for PHP to work.
 +
 
 +
If any of the permissions on a CGI script or the <code>php-cgi</code> script are wrong, you'll get an "Internal Server Error" message when you try to view them from a web browser.
 +
 
 +
Since CGI and PHP programs run under your account, that means that those programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account.  For such programs, you can use the following <code>chmod</code> invocation:
  
 
  chmod 700 ''program''
 
  chmod 700 ''program''
  
For files that are only accessed by those programs, use the same invocation, but with "<tt>u+rw</tt>" instead of "<tt>u+rwx</tt>".
+
For files that are only accessed by those programs, use the same invocation, but with "<code>600</code>" instead of "<code>700</code>".
  
-->
 
 
== Access Control Lists ==
 
== Access Control Lists ==
  

Latest revision as of 16:29, 2 February 2022

When creating webpages with your graduate or undergraduate account, you need to make sure the files have the appropriate permissions for our web server to access them.

Summary

The short version of this page is this:

  • All files in your public_html directory (and all of its subdirectories, etc.) must have global read permissions
  • Your home directory, your public_html directory, and all directories within your public_html directory must have global execute permissions
  • Your home directory, your public_html directory, your public_html/cgi-bin directory, and your public_html/cgi-bin/php-cgi script must not have group or global write permissions
  • If you're displaying directory contents without an index.html file, any affected directory will also need global read permissions.
  • Any files outside your public_html directory that the web server needs to access (e.g. password files for HTTP authentication) must have global read permissions
  • Any directories containing files that the web server needs to access must have global execute permissions

If you just want to set all of the permissions to our recommended default values, log in to one of our Linux clients and run the following commands:

chmod 0701 ~
find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +

Warning: This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading.

File Permissions and our Webserver

If you need a refresher on file permissions, please see our Unix File Permission Primer.

For most, if not all, of the files in your ~/public_html directory, the following statements are probably true:

  • You should be able to read and write the files.
  • No other person on our shared systems should be able to even read the files. (In case you have passwords or other sensitive information in there.)
  • The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.

Every personal account on our systems is a member of the users group. Our webserver runs as an account (apache) that is not a member of the users group. Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the users group more restrictive than the global permissions. That will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.

Thus, HTML files any any other files the webserver needs to access should have the following permissions:

  • user: read and write
  • group: nothing
  • other: read

The corresponding chmod invocation would be:

chmod 604 file

Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using directory indexes). Thus, the chmod invocation for directories is:

chmod 701 directory

If you're going to be doing a lot of work with HTML files, you might want to change your umask. This should set the defaults appropriately:

umask 072

NOTE: In some cases, the webserver may need to access files outside your ~/public_html directory. This generally only occurs if you've added directives to .htaccess files and those directives point at files elsewhere in your directory tree. In those cases, the webserver will need read access to those files, too. This does not apply to files accessed only by CGI or PHP programs; see the next section for those.

CGI and PHP Programs

All CGI and PHP programs run under your account, not the apache account of the webserver. In order for that to work properly, the CGI script must not be modifiable by anyone other than you. In other words, neither it, nor any of its parent directories (e.g. ~/public_html/cgi-bin, ~/public_html, your home directory, etc.) can have group or other write permissions.

PHP programs are all run via the script at ~/public_html/cgi-bin/php-cgi, so that's the only file that absolutely needs to have its write access restricted for PHP to work.

If any of the permissions on a CGI script or the php-cgi script are wrong, you'll get an "Internal Server Error" message when you try to view them from a web browser.

Since CGI and PHP programs run under your account, that means that those programs, as well as files that are only accessed by those programs, don't have to have permissions for anything other than your own account. For such programs, you can use the following chmod invocation:

chmod 700 program

For files that are only accessed by those programs, use the same invocation, but with "600" instead of "700".

Access Control Lists

Our filesystems support Access Control Lists (ACLs). It is possible to use ACLs to selectively grant read access to the webserver's account (apache) without granting global access with the standard Unix permissions. We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems.