Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 424
  • Last Modified:

care to settle a chmod argument

It sounds like the setup for a joke, but it's true...

2 php developers are having an argument (me and another guy).  Actually, not an argument, we don't know the answer and no one we know knows the answer.  So we turn to you, oh great and mighty experts...

In Unix/Linux...when speaking of files, not directories...the X permission allows us to execute files on the server itself.  Shell scripts, the like.  Question: does this also apply to PHP files executed (or interpreted) by Apache/PHP?  In other words, do PHP files need to have X permissions set in order to be viewable over the web by the public or can they be simple r/w?  ??5 or ??6  is another way to ask that.  

we've been tossing it back and forth all morning and I think we won't be able to rest until we know.  Also, luckily, none of us have root access right now to anything where we can test it or else we'd just figure it out oursevles!  If you can believe it...

thanks in advance!

-bakum
0
bakum
Asked:
bakum
  • 4
1 Solution
 
AutogardCommented:
Read access for "other" is sufficient.

e.g. Files owned by a non apache user...

-r--------, apache doesn't serve it
----r-----, apache doesn't serve it
-------r--, apache serves it
0
 
AutogardCommented:
In fact:

(files owned by root user and group)

---------x, apache doesn't serve it
-rwxrwx-wx, apache doesn't serve it

So looks like apache user must have at least read access on the file.

Something else interesting I saw is that if it is a .php file it won't give you the "Access forbidden!" error, the page will just be blank.  If it is a .html file it will give you the "Access forbidden!" error "You don't have permission to access the requested object. It is either read-protected or not readable by the server."
0
 
AutogardCommented:
.....and

I created a directory in my doc root and put an "index.php" file inside of it and accessed it like "http://www.mydomain.com/mydir".
Every user on the system has read access to the index.php file in the directory..
...but this is what happened with various permissions of the directory...

d--------x, apache served it
d------r--, apache did not serve it (and it gave the access forbidden error)

So it looks like directories need to have "x" permissions for the apache user, even if it has "r" permissions on the actual file in the directory.

If I try to access the file directly (http://www.mydomain.com/mydir/index.php"):

Forbidden
You don't have permission to access /mydir/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

....more info than you wanted, huh?  Sorry, got carried away!  :)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ahoffmannCommented:
> .. does this also apply to PHP files executed (or interpreted) by Apache/PHP?
no, only if PHP is configured as CGI (which is unusual) *and* that CGI relies on the x-bit

> .. do PHP files need to have X permissions ..
no if PHP is run as mod_php in Apache

> .. or can they be simple r/w?  ??5 or ??6  is another way to ask that.  
they should be 440 or better 400 (sometimes they should be 040, but most admions don't know how to configure that securely)
for testing start with 444, then if it works, try to limit down to 440 and finally 400
0
 
bakumAuthor Commented:
Very good.  Full points for the first full answer to my inquiry.  Excellent.  
0
 
AutogardCommented:
Thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now