Linux File Permissions Best Practices August 27, 2009

Hey all you Linux users, web site uploaders, and people who occasionally have to touch a Linux box despite your confusion or repulsion,

Here’s an APB on what not to do with file permissions.

-rw-rw-rw- permissions are from Satan. That’s why they are written as 666. -rwxrwxrwx is worse because it’s editable AND executable. And drwxrwxrwx is worse still, because it means that ordinary users may be able to break your machine with “while [ true ] ; do cat bigfile >> biggerfile ; done” (which is why /tmp is in its own partition on a “serious” server).

So, if you are installing a web application and you want the web server to be able to change files, then set the files to be owned by the user that the web server runs as. (I’m going to assume the username is “www-data”, but yours may be “apache” or “httpd”.)

If you want to own the files, and you want “www-data” to be able to change them, then set the group to “www-data”, and make it group-writeable.

And if you want “www-data” and a few special friends to be able to change the files, then create a new group called “www-data-and-friends”, and add them to it.

World-writeable is not OK. Think hard about what you are trying to do, and come up with a smarter way. Or learn how to use ACLs (”man acl”). Or just put the root password in a file called “ROOT_PASSWORD_HERE_EVERYONE” and let someone make the file world-writeable, so that you don’t have to incriminate yourself.

Yours in making the the world a safer place for those who just don’t know, so that it is only the truly stupid who fall prey to accidents,

N.

Leave a Reply