How to make directories writable but not 777
I'm using Textpattern CMS and I need to have write permisions on some directories. When I chmod those folders to 777 it all works.
But, 777 is a security risk, and I would like to chmod those folders to something else, like 755 or else. What do I need to do to make this work?
6 Replies
BTW, Directories that are writable by the web server are a security risk regardless of what ownership and permissions they are set to. Never ever put PHP scripts or other executable files in there.
@hybinet:
… If your distribution runs Apache as nobody, this won't work.
Why do you say that?
@hybinet:
Keep the permissions 755, and chown to the same user that runs the Apache. With Debian or Ubuntu, this will be the user "www-data".
User that runs the apache - how can I found out who is the user that runs the apache? I installed everything as the "root" user, so that should problaly be the root, right?
I found this:
chown root:root /some-dir
should I type that from command line, I'm using Putty for ssh.
@hybinet:
BTW, Directories that are writable by the web server are a security risk regardless of what ownership and permissions they are set to. Never ever put PHP scripts or other executable files in there.
these folders are for image and files upload, thats an option in Textpattern CMS.
Thanks!
the command is:
sudo chown -R www-data /srv/www/path/to/foder
Thanks a lot, spent half day trying to solve this
There are three digits. To take the example of 754 (just at random), 7 is owner, 5 is group, 4 is anyone.
Each digit is really a set of three bits (for execute, write, and read). But to visualize them, you can think of each permission as a number to be added:
+1: Execute
+2: Write
+4: Read
At the base, you have zero (no permissions). If you want to let somebody read a file, you would add 4. If you want to let them read and write a file, you would add 2 and 4 (6). If you want to let them read, write, and execute a file, you would add 1 and 2 and 4 (7).
Any combination of the three is possible. The most common you'll see are probably 7 (full permissions), 6 (read/write), 5 (read/execute), and 4 (read).
So, if you have the permission of 755, it would mean:
owner: full permission
group: read/execute
anyone: read/execute
When you do an 'ls -l', you'll see a representation of the bitfield. 777 looks like:
-rwxrwxrwx
The first digit is the file type (d for directory, for example). The next nine are broken up into groups of three:
- rwx rwx rwx
That's the owner/group/anyone again. 755 would look like:
-rwxr-xr-x
There is also a different syntax ("+x" gives all three execute permissions, "go+r" gives group and owner read permissions, etc) if you don't want to use the numbers, but I'll let you read about that yourself (google it, or perhaps something like
@sleddog:
@hybinet:… If your distribution runs Apache as nobody, this won't work.
Why do you say that?
Sorry, I misworded that. It will probably work as intended, but it is not secure. In principle, the user nobody should not own any files or directories. On Debian every daemon runs as its own user, except a few that don't need to write any files (e.g. memcached).