Unix permissions from a PHP Dev perpective

I am using a shared unix/linux remote server to develop my high security app which is written in php. I have SmartFTP to upload my files, which also gives me access to directory and file permissions. I have scoured the web looking for permission info and find lots on chmod commands, what they are and how to apply them as if I'm at the server using unix/linux operator commands like ls.

I have a developer site, a beta site, and a production site, all with identical folders and files, but for use by me, testers, and the public respectively.

What I cannot seem to find is how I, as a developer, should apply these to my files (pages and images) and folders. Perhaps you know of a source that explains clearly when and why I would use the attributes, or, if you prefer, give an explanation. Much appreciated.
Torquil BeavisBusinessAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

F PCommented:
If you're looking to understand how *nix file persmissions work, it's simple. There are 3 numbers. Each number represents what level of access is allowed.

   7           6             0
 user       group    world
 r+w+x    r+w        none
 4+2+1    4+2+0    0+0+0  = 760

760

7 = Owner of the files/directory permissions level.

6 = Group of the files/directory permissions level.

0 = Everyone Else's permissions level

The numbers are adding up
4 = Read
2 = Write
1 = Execute

So, 4+2+1 = 7, read/write/execute permissions. 4+2 = 6, read/write permissions, and  0 = no access.

Full list of permissions and what they set with chmod here:

http://www.askapache.com/security/chmod-stat.html#chmod-0-to-7777
F PCommented:
... On a side note. All users who wish to access directories that are children of another (i.e., subfolders) must have read access to the parent. You can't create a share at /etc/apache2 and not give read access to the user, either in group or user level, to /etc for the user accessing it.
Torquil BeavisBusinessAuthor Commented:
Thank you. However, I understand most of this from my research. My issue is how I use it as a php developer using a remote server - my users don't have access to the server. Put another way, if I change chmod settings, how would this affect the running of the web app pages and access to the linked files in the app?
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

F PCommented:
You just need to make sure that whatever user is running your webserver, e.g., Apache, has access to the php files themselves. Usually the User and Group is defined within the apache.conf or httpd.conf and are _www or www-data. If you run:

ps -ef | grep http

You should be able to see if it's _www, www-data, or whomever...

If Apache, or whatever, can't get to the files, and typically you want at least read/write for the user running the webserver, then it will fail to load the script and give you a 403 error. I would make sure that all the changes you do are to the group bit and leave the user who runs the webserver as the owner and give it 6 or 7. The group can have 5 if you want your users to be able to see the files.
Torquil BeavisBusinessAuthor Commented:
Great! It's becoming clearer .. still a few questions ..

How do I input "ps -ef | grep http" from SmartFTP?
What I see on the server through SmartFTP is:
rootname
/.config
/.logs
/.ssh
/cgi-bin
/web
.
.
/stats
/www (with a shortcut symbol in front of it that directs to /web)

Open in new window


Is "web" the user here?

Also, regarding "User", "Group", and "Other", if Apache is "User", and you mention my (web app) users are "Group", then who am I here, who are my testers (as opposed to app users), and who are "Other"? I'm sure this is simple - guess I'm missing something here ;)
F PCommented:
You can't execute shell command through SFTP, but you can view permissions. Who's hosting this solution?
F PCommented:
... to answer your other questions:

1. You connect and upload as the owner of the files. Whomever that username may be.

2. Other would be anyone not in the group or the owner of the files.

3. You might be able to assign the output of a shell command, if you have permissions to it, from your PHP. Encapsulate the command with shell_exec() so it would look like this...

<?php

$output = shell_exec('ps -ef | grep http');
echo $output;

// http://php.net/manual/en/function.shell-exec.php
Torquil BeavisBusinessAuthor Commented:
I tried the shell command, and either it didn't work or NULL was the response.

1. So I and Apache are "User/Owner"

2. My app beta testers would be "Group" ?

And my app production users (after testing is complete) would be "Other" ?

How do I let the server know which users are Group users and which users are Other users, in order for the server to apply the appropriate  Group and Other permissions when these users call the web pages?
F PCommented:
What permissions do you want to give to people who don't have write? Read, or just Read and Execute? It depends on what version of Linux you're using to define groups, the commands are different across distributions. Again though... who's your host and do you have SSH access?
F PCommented:
Personally I would give a developer who changes the files a 6, an owner a 7, and standard user a 5 with global being 0. Are you using any kind of version control ike SVN, git, or Mercurial?
Torquil BeavisBusinessAuthor Commented:
NetNation.ca; yes they have SSH.
No version control.

Is 'global' synonymous with 'other'?

Since the server is not hosted by me but NetNation, should I leave these values as NN's defaults?
F PCommented:
Yes, Global == Everyone == Other == Not User == Not Group.

I'm assuming that NetNation has you on a vps if you have command line access, meaning that you're on a dedicated server with access to root... If you do not have the root user password, then you are on shared hosting.

Either way it looks like they're using CentOS/RHEL-derivitive and you'll want to have a look here:

http://www.cyberciti.biz/faq/howto-linux-add-user-to-group/

That should give you the command to run for users and groups from the command line.

... You might want to consider a code repository though as well. It can track changes in the code, document, bug track, and also allow people who don't have access to a command line -- access to view the code in a text format that they can copy and paste wherever. I like SubVersioN, git is a little much for a smaller code base, and you probably shouldn't consider anything but either of those these days. Does that answer everything, or is there something else I can help clear up?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Torquil BeavisBusinessAuthor Commented:
As I mentioned, I am indeed on shared hosting.
We can leave this discussion. Thank you.
F PCommented:
Sorry a lot of things going through my head recently including mobile SEO with the new Google organic rankings being affected for non mobile optimized sites... and the conversion of them.... but, see if you can create a new group for them or user, and assign ownership with chown to yourself, and then give yourself a 7 and them a 6 or 5 after they've been added to the group. That should handle everything, and I believe that the PLESK runs with the apache user and needs the permissions of the group

psaserv

from the PLESK dedicated hosting I just checked with one of my clients. You can use whatever user you want as the owner, e.g., krotb and set the group to psaserv, and add each of your devs to the psaserv group with permissions on the files being -rw-r--r-- which is 544 and everything should work like a charm. Here's the output from ls -lah and ps -ef | grep http from a live PLESK server:

-rw-r--r--  1 user_ecp psaserv  959 Apr 19 17:45 view_page.php

[root@www ~]# ps -ef | grep http
apache    1534 17143  0 14:43 ?        00:00:40 /usr/sbin/httpd
apache    2544 17143  0 16:06 ?        00:00:12 /usr/sbin/httpd
apache    3285 17143  0 16:27 ?        00:00:05 /usr/sbin/httpd
root      3381  3335  0 16:45 pts/0    00:00:00 grep http
root     17143     1  0 01:41 ?        00:00:01 /usr/sbin/httpd
apache   17149 17143  0 01:41 ?        00:00:00 /usr/sbin/httpd
apache   17150 17143  0 01:41 ?        00:00:03 /usr/sbin/httpd

and finally some of the httpd.conf file

[root@www ~]# cat /etc/httpd/conf/httpd.conf | grep User

# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
User apache

This is PLESK version 12.0.18 Update #38
CentOS 6.6 (Final)
Torquil BeavisBusinessAuthor Commented:
This was not the answer I needed. However, I appreciate your assistance.
F PCommented:
I apologize, but I am still willing to help out in whatever way I can if you need anything.
F PCommented:
I want to provide a model to help, but I just want to ask if these are your requirements?

DEV SITE:
1. You and the web server should only have access

BETA SITE:
1. You, developers, and web server

PRODUCTION SITE:
1. You, developers, and web server

In terms of the end users, other, or world permissions, they do not need to have the ability to read/write/execute at all unless you have a specific need. People viewing the website will only need permission to view/read indirectly, or vicariously, through the web server itself. Your FTP and permissions model would really only apply to the three users I asked about above. If I'm correct in how I staged the permissions model above in my question, I will write out for you the groups and files/folder structure to apply it to so you can modify it for your environment.
Torquil BeavisBusinessAuthor Commented:
Thanks. I am the only developer. So I guess there is no group. By production I mean end users using their browsers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.