care to settle a chmod argument

It sounds like the setup for a joke, but it's true...

2 php developers are having an argument (me and another guy).  Actually, not an argument, we don't know the answer and no one we know knows the answer.  So we turn to you, oh great and mighty experts...

In Unix/Linux...when speaking of files, not directories...the X permission allows us to execute files on the server itself.  Shell scripts, the like.  Question: does this also apply to PHP files executed (or interpreted) by Apache/PHP?  In other words, do PHP files need to have X permissions set in order to be viewable over the web by the public or can they be simple r/w?  ??5 or ??6  is another way to ask that.  

we've been tossing it back and forth all morning and I think we won't be able to rest until we know.  Also, luckily, none of us have root access right now to anything where we can test it or else we'd just figure it out oursevles!  If you can believe it...

thanks in advance!

-bakum
bakumAsked:
Who is Participating?
 
AutogardConnect With a Mentor Commented:
.....and

I created a directory in my doc root and put an "index.php" file inside of it and accessed it like "http://www.mydomain.com/mydir".
Every user on the system has read access to the index.php file in the directory..
...but this is what happened with various permissions of the directory...

d--------x, apache served it
d------r--, apache did not serve it (and it gave the access forbidden error)

So it looks like directories need to have "x" permissions for the apache user, even if it has "r" permissions on the actual file in the directory.

If I try to access the file directly (http://www.mydomain.com/mydir/index.php"):

Forbidden
You don't have permission to access /mydir/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

....more info than you wanted, huh?  Sorry, got carried away!  :)
0
 
AutogardCommented:
Read access for "other" is sufficient.

e.g. Files owned by a non apache user...

-r--------, apache doesn't serve it
----r-----, apache doesn't serve it
-------r--, apache serves it
0
 
AutogardCommented:
In fact:

(files owned by root user and group)

---------x, apache doesn't serve it
-rwxrwx-wx, apache doesn't serve it

So looks like apache user must have at least read access on the file.

Something else interesting I saw is that if it is a .php file it won't give you the "Access forbidden!" error, the page will just be blank.  If it is a .html file it will give you the "Access forbidden!" error "You don't have permission to access the requested object. It is either read-protected or not readable by the server."
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
ahoffmannCommented:
> .. does this also apply to PHP files executed (or interpreted) by Apache/PHP?
no, only if PHP is configured as CGI (which is unusual) *and* that CGI relies on the x-bit

> .. do PHP files need to have X permissions ..
no if PHP is run as mod_php in Apache

> .. or can they be simple r/w?  ??5 or ??6  is another way to ask that.  
they should be 440 or better 400 (sometimes they should be 040, but most admions don't know how to configure that securely)
for testing start with 444, then if it works, try to limit down to 440 and finally 400
0
 
bakumAuthor Commented:
Very good.  Full points for the first full answer to my inquiry.  Excellent.  
0
 
AutogardCommented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.