File Permissions for Webpages

Revision as of 18:24, 10 May 2017 by Phil.cs.jhu.edu (talk | contribs) (Take the "CGI and PHP Programs" section back out, since it only applied to the grad net.)

When creating webpages with your graduate or undergraduate account, you need to make sure the files have the appropriate permissions for our web server to access them.

Summary

The short version of this page is this:

All files in your public_html directory (and all of its subdirectories, etc.) must have global read permissions; your home directory, your public_html directory, and all directories within your public_html directory must have global execute permissions; and your home directory, your public_html directory, your public_html/cgi-bin directory, and your public_html/cgi-bin/php-cgi script must not have group or global write permissions.
(If you're displaying directory contents without an index.html file, any affected directory will also need global read permissions.)

If you just want to set all of the permissions to our recommended default values, log in to one of our Linux clients and run the following commands: 

chmod 0701 ~
find ~/public_html \( -type d -exec chmod 0701 {} + -o -type f -exec chmod 0604 {} + \)
find ~/public_html/cgi-bin -type f -exec chmod 0705 {} +

Warning: This has the potential to break things if you're doing anything more complex than serving simple HTML files. For more information on our setup, please keep reading.

File Permissions and our Webserver

If you need a refresher on file permissions, please see our Unix File Permission Primer.

For most, if not all, of the files in your ~/public_html directory, the following statements are probably true:

  • You should be able to read and write the files.
  • No other person on our shared systems should be able to even read the files. (In case you have passwords or other sensitive information in there.)
  • The webserver needs to be able to read the files (so it can serve them to the world), but it probably doesn't need to write to them.

Every personal account on our systems is a member of the users group. Our webserver runs as an account (apache) that is not a member of the users group. Because of the way Unix permissions are resolved, this means that you can make the group permissions of files owned by the users group more restrictive than the global permissions, and that will have the net effect of allowing access to the webserver's account while denying access to other people using our shared systems.

Thus, HTML files for the webserver should have the following permissions:

  • user: read and write
  • group: nothing
  • other: read

The corresponding chmod invocation would be: 

chmod 604 file

Directories containing HTML files need to have execute permission for both you and the webserver (so it can access the files), but don't need to have global read permissions (unless you're using directory indexes). Thus, the chmod invocation for directories is: 

chmod 701 directory

If you're going to be doing a lot of work with HTML files, you might want to change your umask. This should set the defaults appropriately: 

umask 072

Access Control Lists

Our filesystems support Access Control Lists (ACLs). It is possible to use ACLs to selectively grant read access to the webserver's account (apache) without granting global access with the standard Unix permissions. We don't recommend doing this unless you're already familiar with ACLs, since it can make your file permissions more complex and more prone to subtle problems.