Note: Please note the following primarily covers Linux, Unix and derivative systems. Windows handles file permissions differently.
File Permissions
Out of the box vBulletin doesn’t really care about file permissions that much. The software is configured to store everything in your database and works with the web server’s default permissions. However you can tighten this up a little to protect yourself and the users that visit your website.
typicalstructure.png
The image above shows what a typical website directory looks like when you first connect. If you look at the columns on the right, you will see the permissions and ownership of the files.
The basics
When we talk about File Permissions, you’ll hear a lot of numbers. It is sometimes confusing to understand what these numbers mean. You might see something like chmod 777 or chmod 755. These can be confusing.
These numbers refer to three permissions: read, write and execute.
Execute | 1 |
Write | 2 |
Read | 4 |
When you add up the values, you get the number that you should assign. So if the value is 7, then all three permissions are granted.
The numbers are given to three different groups of users as well. Those groups are: Owner, Group, Public/World. They are represented in that order. Naturally the owner should have the most permissions and the Public should have the fewest. These are shown in respective order from left to right.
Here is what a basic vBulletin installation might look like:
basicpermissions.png
777 – grants Read, Write and Execute permission to Owner, Group and Public.
755 – grants Read, Write Execute to the Owner plus Read and Execute permissions to the Group and Public.
644 – grants Read and Write to the Owner plus Read permissions to the Group and Public.
So what should you do?
Of course you want the most secure permissions possible but still want to allow your site to work. In this case, you want to use the 644 permissions on your PHP files if you can. This means you can write to your files, via FTP, SCP or SFTP, but others cannot. It means you can read your files. The Group and World can read the files, which allows them to work properly on most systems. Your directories will probably need a minimum of 755 to work properly. More about this later.
Unfortunately, some hosting providers do not allow this permission to be used due to their setup. They may require 755 which adds in the Execute permission in order for PHP scripts to work properly. If you change your PHP scripts to the 644 permission and your site breaks, you will need to change them back to the 755 permission.
File Directories
File Directories are special in that they need to be “Executed” to be opened, get directory listings and find files in them. This is why they need at least the 755 Permission. If you are storing attachments, custom avatars or other uploads in the file system, the directories that you are using to store these items need to have full permissions 777. The reason for this is that the web server can run under a user that is different from the user that you manage files with. A lot of times the web server us handled by a background user named ‘nobody’. Though this isn’t always the case. Unfortunately, we can’t go over every type of server configuration here.
How to Change Permissions
chmod is a command-line utility. Unfortunately unless you’re on a Dedicated or Virtual Private Server (VPS), you probably do not have access to the command line to use it. Luckily for us, the FTP protocol allows us to change file permissions as well. In most FTP clients, you can pull up a context menu that gives you various actions to take on an item. You can access the context menu by right-clicking your mouse or click-hovering your mouse over the item. The item you’re looking for is permissions. Selecting this will allow you to change the permission for the selected item(s).
Here is an example of what the context menu might look like:
contextmenu.png
If you do have shell or command line access, then you can use a command like:
chmod 644 *.php
chmod 644 *.js
chmod644.png
The desired permissions are:
Files – 644 then 755 if required by your hosting provider.
Directories – 755
User Upload Directories – 777
Next Time
Part II will cover securing your directories to make access more difficult for trouble makers. Future installments will cover secure attachment storage in the file system and how to make sure your plugins are safe.