Linux – Permissions on a typical shared Linux web host


I am trying to understand the file permissions on a typical shared Linux web hosting account. I know how to set rwx permissions for the OWNER GROUP and PUBLIC entities of a file or directory. What isn't very clear to me is, typically where would the access permissions map to? I am guessing that:

USER permissions would affect what … uhm… not sure here
GROUP permissions would affect what a PHP or other script running on the server could do
OTHER (sometimes called PUBLIC or WORLD?) permissions would affect what a UA of a web site visitor can do

Can anybody correct, confirm or expand my understanding on this?


If I want to allow my PHP script that run on the server the permission to write to a file, would that permission be specified in USER, GROUP or OTHER?
If I want to deny a website visitor's browser to see the contents of a directory, would that permission be specified in the dir's USER, GROUP or OTHER?

Best Answer

  • Let's specify some keywords fists.

    FTPUSER   = you with your ftp client
    WWWDAEMON = program (servers) that's responsible for processing your web pages and scripts 
    WWWUSER   = user as which the WWWDAEMON processes your pages
    BROWSER   = Someone looking at your website with a browser
    FILES     = files that reside in your www/ftp site
    yourgroup = group that your FTPUSER belongs to and WWWUSER does not

    You access your FILES as FTPUSER with a ftp program

    -rwxr-xr-x  2 FTPUSER yourgroup   72 2012-01-18 13:56 somescript.php

    Now.. becasue WWWDAEMON user WWWUSER is not you (FTPUSER) it respects OTHER permissions when it tries to read your script. (There are hosting site's that run your scripts as your FTPUSER). Removing the other read and exec permission will block use of somescript.php

    # this scipt is unusable trough a browser
    -rwxr-x---  2 FTPUSER yourgroup   72 2012-01-18 13:56 somescript.php

    Creating a directory with world writeable permissions will allow your script to write there, but unless you protect that directory somehow (like with .htaccess or put it outside your www dir) it might also mean that the BROWSER can access those files directly, because:

    BROWSER contacts WWWDAEMON which runs as WWWUSER so 
    BROWSER can see everything processed by WWWDAEMON that the WWWUSER can. 

    Processed also means that WWWDAEMON also respects .htaccess or similar to block access.

    The advice is to create say phpwritedir and give it a+rwx rights. Add .htaccess file there (if your hosting service allows it)

    deny from all

    Whit this your script run as WWWUSER can still use that directory, but WWWDAEMON will block any BROWSER access to it.

  • Related Question