File Permissions for Webpages

Revision as of 15:20, 12 September 2016 by Phil.cs.jhu.edu (talk | contribs) (Created page with "When creating webpages with your graduate or undergraduate account, you need to make sure the files have the appropriate permissions for our web server to access them. == Sum...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

When creating webpages with your graduate or undergraduate account, you need to make sure the files have the appropriate permissions for our web server to access them.

Summary

The short version of this page is this: All files in your public_html directory (and all of its subdirectories, etc.) must have global read permissions; and your home directory, your public_html directory, and all directories within your public_html directory must have global execute permissions. (If you're displaying directory contents without an index.html file, any affected directory will also need global read permissions.)

If you just want to set all of the permissions to our recommended default values, log in to one of our Linux clients and run the following commands: 

chmod 0701 ~
find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +

Warning: This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading.

A Brief Refresher on Unix File Permissions

If you're already familiar with Unix permissions, feel free to skip to the next section.

In Unix, every file belongs to one account and one group. Each file has three sets of permissions: one for its owning account (often shortened to "u", for user), one for its group ("g"), and one for everyone else ("o", for other). The permissions are read, write, and execute.

Read permissions allow you to access the contents of a file or see what's in a directory. Write permissions allow you to change a file or add and remove files from a directory. Execute permissions on a file let you run it as a program. Execute permissions on a directory let you (try to) access the files in the directory. Note that this means that in order to access a file, you must have read permission on the file and execute permission on the directory containing the file (and the directory containing that directory, and so on).

When the system checks permissions on a file (or directory), it first checks to see if you're the owner of the file; if so, it uses the account permissions. Otherwise, it checks to see if you're a member of the file's group; if so, it uses the group permissions. Otherwise, it uses the global permissions.

The chmod program is used to change permissions on a file or directory. Its invocation looks roughly like this: 

chmod permissions file [file ...]

The "permissions" parameter can either be an octal number (which is out of scope for this refresher) or a symbolic statement using "u", "g", and "o" for the permission set; "+" or "-" for adding or removing permissions, respectively; and "r", "w", and "x" for the permissions themselves. Multiple sets of permissions are separated by commas. For example, to add execute permission for a file owner while removing all access to "others", you would run chmod u+x,o-rwx file.

File Permissions and our Webserver

For most, if not all, of the files in your ~/public_html directory, the following statements are probably true:

  • You should be able to read and write the files.
  • No other person on our shared systems should be able to even read the files. (In case you have passwords or other sensitive information in there.)
  • The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.

Every personal account on our systems is a member of the users group. Our webserver runs as an account (apache) that is not a member of the users group. Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the users group more restrictive than the global permissions, and that will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.

Thus, HTML files for the webserver should have the following permissions:

  • user: read and write
  • group: nothing
  • other: read

The corresponding chmod invocation would be: 

chmod u+rw,g-rwx,o+r file

Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using directory indexes). Thus, the chmod invocation for directories is: 

chmod u+rwx,g-rwx,o+x directory