The mechanism for distributing rights in operating systems, developed back in the 70s of the last century, turned out to be so successful that it is still used in UNIX systems, that is, for more than forty years.
The basic principle of how access is distributed includes the existence of mandatory attributes, such as the names of system users, as well as their groups. It is almost obvious that in Linux each user can have only one name, which must be unique within this system. With the help of a nickname, the user enters the system, that is, passes authorization. In addition, the operating system contains a finite number of user groups. Each of them can be a member of one or more groups. Edit properties, create and delete groups can superuser - root. Members of different groups have various rights for actions in the system. So, for example, the administrator has more rights than the guest.
The inode (which every file has) contains the username of the owner and the name of the user group that has rights to this file.
When a file is created, the user under whose name this process is running becomes its owner. The group of the newly created file is also determined by the group ID of the running process. With further work, all these values can be changed using the console commands, which will be discussed below.
The chmod command can change the user's access mode to a file. To change these rights in any way is allowed only to its owner or superuser. In Unix systems, the code is usually specified as a number in octal form, or using special mnemonic characters (letters). Using each method has its own advantages and disadvantages. So, with the help of numerical indication of access rights, the system administrator will be able to quickly configure the desired type of access, and with the help of mnemonic codes, he will be able to do this more precisely - for example, add or remove write access, or deny read access.
The first argument to the chmod console command is the specification of the user's permissions, which is a mnemonic, or octal number. The second and next arguments are the names of the files to which we are trying to change the permissions. When setting rights as three numbers, the first number defines the rights for the owner, the second for the group, and the third for all other users.
Access to files in the rights system has the following variations:
In relation to directories, the following system of rights applies:
In total, 8 different combinations are possible, which are shown in the figure below.
With the help of the table below, you can understand how to implement complex options for assigning permissions, as well as how to set permissions to 777 using the chmod mnemonic specifications.
Here are some examples of using the chmod command:
Using such a file sharing script would result in the owner having full rights to the file, while all other user groups would only be able to execute it.
When using the code 775, we will provide the owner and his entire group with a full list of rights. Other users will not be able to make changes to the file. It must be said that in order to specify a file only by its own name, it must be located in the directory where this file is located. Otherwise, you can change to this directory with cd directory_name/sub-directory_name, or use the following structure:
To recursively change the permissions of all files in a directory and all subfolders, you need to add the -R switch to the chmod command. The resulting command will look like this:
As a result, how to set permissions to 777 for a file or directory will not be a problem - you just need to log in to your web server via SSH and run the command:
You can also implement a similar procedure through the visual interface FTP client FileZilla or WinSCP SFTP client. To do this, you will need to authorize on your server in one of these programs, select your file or folder in the visual interface, then right-click and check the boxes next to the required rights.
Sometimes, in case of urgent need, you may not have access to the Windows client, so you can change access rights through the web server control panel. To do this, using the file manager of your control panel, select the required files and click on the Change Permissions button. Next, you will also need to tick everything, and now the question of how to set access rights 777 to a folder will no longer be difficult for you.
(The initial value of file permissions is rwxrwxrwx - full control for everyone) Revoke permission to execute a file for all users and groups:
$ chmod a-x file(rw-rw-rw-)
Cancel writing to a file by a group and other users:
$ chmod go-w file (rw-r–r–)
File execution permission by owner:
$ chmod u+x file (rwxr–r–)
Giving the group the same access rights as the owner of the file:
$ chmod g=u file (rwxrwxr–)
Cancel reading and writing to a file by group users and other users:
$ chmod go-rw file (rwx-x-)
Permission to read, write, execute the file file by all users and groups (full control):
$ chmod 777 file (rwxrwxrwx)
Setting read and write permissions for owner, group and other users:
$ chmod 666 file (rw-rw-rw-)
Setting full file access for the owner and read-only access for the group and other users:
$ chmod 744 file (rwxr-r-)
Setting full access to the file to the owner of the file and denying access to the group and other users:
$ chmod 700 file (rwx--)
Set read/write permissions for the file owner and read-only permissions for the group and others:
$ chmod 644 file (rw-r–r–)
Set read and write permissions for the owner of a file and its group, and deny access to others:
$ chmod 640 file (rw-r--)
Setting file access with read permission for all users and groups:
$ chmod 444 file (r–r–r–)
File permissions for read, write, execute by owner and read, execute by group and others:
$ chmod 755 file (rwxr-xr-x)
Allowing read and execute access to the file for the user and others, and denying access for the group:
$ chmod 505 file (r-x-r-x)
If you want to assign permissions to all files in the current directory, simply put an * (asterisk) after the assigned permissions:
$ chmod 755 *
As a result of executing this command, the owner will receive full rights (read, modify, execute) on all files of the current directory, while the group and other users will receive only read and execute. If you want your actions to propagate recursively (including all subdirectories), use the -R option:
$ chmod -R 777 *
The result of executing the above command will be to recursively "traverse" all subdirectories of the current directory and assign full access to all users and groups. This article only covers some examples of how to use the chmod command. If you want to learn more about how the chmod command works and Linux permissions, check out this article.
$ find /path/to/base/dir -type d -exec chmod 755 () +
$ chmod 755 $(find /path/to/base/dir -type d)
$ chmod 755 `find /path/to/base/dir -type d`
$ find /path/to/base/dir -type d -print0 | xargs -0 chmod 755
$ find /path/to/base/dir -type f -exec chmod 644 () +
$ chmod 644 $(find /path/to/base/dir -type f)
$ chmod 0755 `find ./ -type f`
$ find /path/to/base/dir -type f -print0 | xargs -0 chmod 644
Let's first understand the essence of the issue with Chmod in order to understand what exactly and how we configure. So let's get started. Permissions are divided into Chmod for files and Chmod for directories. They are designated the same, but mean a little different.
Access rights (Chmod) to files are divided into:
r - the right to read data.
w - the right to change the content (write - only change the content, but not delete).
x - the right to execute the file.
Let's dwell a little more on the right to execute a file. The fact is that in linux (Unix), any file can be executed. Whether it is an executable is determined not by its extension (the concept of extension is absent in file system Unix), and for permissions Chmod. If a file has the “X” permission (chmod x) set, it means that it can be run for execution.
Now about the access rights (Chmod) to the folder (directory):
r - the right to read the directory (you can read the contents of the directory, i.e. get a list of objects in it)
w - the right to change the contents of the directory (you can create and delete objects in this directory, and if you have write permission, then you can delete even those files that do not belong to you)
x - the right that allows you to enter the directory (this right is always checked first, and even if you have all necessary rights to an object that is buried deep in the chain of directories, but do not have the “X” right to access at least one directory on the path to this file, then you will not break through to it)
In linux (Unix) systems, all these rights are given by the main administrator of the computer, access to which he gains by entering a password. And if most objects have read-only access rights (Chmod), then there will be practically nothing for viruses to do on such a computer. they will not be able to record themselves there, nor then be fulfilled. It is this result that we need to achieve by setting access rights (Chmod) to the objects of our site.
Permissions themselves (Chmod) are divided into three categories, depending on who is accessing the object:
"user" - u (direct file owner)
"group" - g (member of the same group as the owner)
"world" - o (everyone else)
The server determines which user group you belong to when you connect to the server. When you connect to a server via FTP, for example, you log in with your username (and password), and then the server assigns you to the “user” (“u)” group. Other users who also connect via FTP to the server will be assigned to the “group” (“g”) group, and the user who comes to your site using his browser falls into the “world” (“o”) group.
Variations of the three possible values "r", "w" and "x" for the three categories "u", "g" and "o" define Chmod for files. If a category is not specified, it is replaced by a hyphen "-". access rights (Chmod) are specified sequentially in the given order:
first rights for owner - "u"
then for the group - "g"
and at the end of the right for everyone else - "o"
After the server assigns the user to a certain group, it grants him the rights to act on objects, after which the user will be able to read, write or execute the file (depending on what his group is allowed to do with this object). To see the contents of a folder, it must have the read attribute "r" (for the group to which the server assigned the user). To create a file or folder in an existing one, it must have the Chmod attribute set to the "w" entry.
For clarity, let's look at an example where the owner of the file ("user" - "u") has all the rights: the right to read, write to it and execute, and all other users only have the right to read. Such a Chmod entry would look like this: "rwx r-- r--". Let's consider it in detail: "rwx" (this entry sets the rights to the object for the owner - "u"), "r--" (this entry sets the rights to the same object, but if the user is assigned by the server to the group - "g ”), “r--” (this entry sets the rights to the object for all other users - o”).
|
Nothing can be done |
Access to the directory and its subdirectories is denied |
|
|
Can see and edit content |
Can add, delete, change folder file |
|
|
Run if file is binary |
The user can execute a binary file that he knows exists, access or read the directory is prohibited |
You can see that here we use entries using Latin letters and hyphens, but you've probably already come across the fact that usually Chmod is set in digital form, for example, the well-known combination: Chmod 777, which allows everything and everyone. Indeed, access rights (Chmod) are also indicated by numbers:
w (record) is replaced by 2
x (execution) is replaced by 1
0 means do nothing (which is indicated by a hyphen in the alphabetic notation) Let's go back to the example of the access rights notation I gave a little earlier: rwx r-- r--. If we replace the letters and hyphens in it with numbers, in accordance with the rule just described, and at the same time add the numbers in each triple, we get the digital form of this entry: 744. That is, it turns out that the sum of these numbers shows Chmod to files or a folder. For example:
7 (rwx) = 4 + 2 +1 (full rights)
5 (r-x)= 4 + 0 + 1 (read and execute)
6 (rw-) = 4 + 2 + 0 (read and write)
4 (r--) =4 + 0 + 0 (read only)
This table lists all possible Chmod combinations in numerical form:
And now let's look at the various combinations of Chmod in numbers, in relation to user groups:
|
""Owner"" |
""Group"" |
""Rest"" |
|
|
perform |
|||
|
perform |
perform |
||
You yourself (except when you access the site via FTP) and all other visitors to your site belong to the “word” group (everyone else), so to work with the website, we need to first look at the last (third) digit Chmod. In order for the script to “run the file” when the user works with the site, it will be enough that access rights (Chmod) are set on it, starting from “4” (r-- – read only) (5,6,7 are also suitable, but This would be overkill for security reasons.
“For the folder” in which the file of this script is located, you need to set at least “5” (r-x - you can go to the folder and read its contents, you cannot delete or add). 7 is also suitable, but it will also be superfluous in terms of security. If you need the script to not only read, but also “write” some data (for example, entered by the user), then the minimum rights to the “folder” will still be “5”, but the “file” will already need the rights “6 » (read and write).
Most likely, on the server where you copied the contents of your site engine, the following Chmod to objects will be installed:
the owner (user) can do everything, the group and everyone else can only read folders and go into them, but they are not allowed to write files, change names and delete them in directories. (rwxr-xr-x)
If you had a site consisting of some html, then you could leave everything like that. But modern sites are built on engines, and there may be objects that need to be written to on behalf of users from the "world" group - o (everyone else). These can be folders used for caching pages or those into which pictures, etc. will be loaded in the course of working with the site. Of course, if you access the site via FTP, you can write to these files or folders, but working with website interface as a normal user, you may experience problems. Therefore, the installation of certain Chmods must be approached selectively.
When working with files located on the web server, often there is a need to set or change access rights to folders and files (chmod) view 777. In the family server Unix operating systems, access rights (chmod) of type 777 regulate such actions: reading, writing to a folder or file, and executing a file.
File or folder permissions are a security feature of any multi-user operating system or software from unauthorized access to important (system) information.
If the operating system is single-user, for example, as a home version (home) of Windows, then there is no point in particularly limiting the user's power over his user and system files and folders. Because, in this case, the same person is both a user and an administrator at the same time.
If the operating system (or program) is multi-user and more than one user can be found in it, then first you need to figure it out and decide which of the users can be allowed access to important system and user files, and who should “let them stand aside”. In order to differentiate the possibilities and degree of access to files and folders for users, within the operating system - there are "access rights".
Access rights to files and folders are assigned at the level system administrator and determine the technical capabilities of each user for his operations with files and folders within the directories controlled by him
At the same time, access rights allow you to partially or completely close general access to important files and directories, thereby preventing unauthorized intervention in the operation of the system (program, server, website) or changing user data (database, database) on server.
By and large, the user's work in any operating system or program is the usual work with files or folders. Initially, when accessing any file or folder, the user is free to do anything with them - execute, delete, change (overwrite) or create a new object. However, the operating system is vigilant - it is always on the alert - every time the user accesses a file or folder, with every action within the operating system, it scrupulously checks whether or not the user is allowed to work with this file or folder. This is what "permissions" are. Thus, the user's capabilities are limited in the actions that he (the user) can do with a file or folder in the computer area under his control.
As already mentioned, access rights to files and folders are available in all operating systems that involve multi-user work. Both in Windows and in Unix, and in any other multi-user operating system, there is a function to configure and set access rights to files and directories (folders, directories) for various categories of users. This article will focus on access rights for server OSes of the Unix family, which are often called .
Permissions (chmod) like 777 for server Unix operating systems regulate the permission or prohibition for the user to perform such actions as: reading, writing to a folder or file, and executing executable files
IN server In Unix operating systems, access rights are written as a single line consisting of three digits, where each digit refers to a different type of user group. In turn, all users are divided into groups of three types:
Thus, the three digits in the designation, like 777, are the set access rights for three user groups of the folder or file at once, where - each of the three digits indicates the access rights for its user group.
Now it remains to figure out who the "Owner" is,
What is "Owner Group Member"
and who are "All other users".
Since we are talking about servers, sites and Unix server OSs here, then:
The division of all users into groups in Unix server operating systems is implemented as follows - the Owner and Members of the owner's group connect to the server using a special connection (FTP, SSH) (FTP, SSH protocol), and all other users access the site from a web browser (http -protocol)
It follows that, depending on the file access protocol on the server, the Unix server OS immediately divides users into two parts, either the owner or a member of the owner's group, or all other users. The basis for such a "sorting" (I repeat) is network protocol connections - if the user connected to the server using an FTP account (FTP protocol), then this is either the owner or a member of his group. And if the user accessed the server from a web browser (http protocol), then this is the third group - all other users.
Thus, for the Unix server OS, there is a very clear and easy to understand distinction between the first two and third groups - the owner and a member of his group get to the server using a special connection (FTP, SSH), and all other users through their web browsers.
But the differences between the first two groups - the owner and a member of his group - are strongly erased and veiled. This is where the jungle of a hosting package and an individual approach for each case already begins.
Reference:
All files in Unix (Linux) can have two owners: their direct owner-creator (user owner) and his group (group owner). The concept of the owner's group means a certain list of users that was created by the owner himself for sharing a file or folder.
Thus, for a Unix server OS, the owner of a file or folder is directly the server administrator. All the rest, to whom the owner will allow access to files on his server and who will connect to this server via the FTP / SSH protocol, are members of the owner's group.
Under lease disk space refers to the space on the server occupied by site files. As a rule, these are inexpensive hosting packages, where their users do not have access to the server's admin panel (not to be confused with the CP - account control panel). Accordingly, site administrators (owners) sitting on such packages, when they connect to the server via the FTP protocol, fall exclusively into the owner's group. Whereas, the owner himself (server administrator) is somewhere out there, “far in the mountains”, in his cozy office technical service hoster.
When renting disk space, the owner of all files on the site is the host itself, while the tenant of disk space is just a member of the owner's group.
For server tenants (real and virtual) - the situation is somewhat different. When renting a server, the renter installs the operating system himself, of course, at the same time - he is the direct owner of the files for this system. But to create a group and add other users to it is already his, the owner's business.
What follows from all of the above?
And the conclusion is this: - Disk space tenants don't have to bother with the first digit like (chmod) 777, because they are not the owners, and will never be the owners of their files. For them, the first digit should always be seven. - Tenants of servers (real and virtual) don't have to bother with the second digit of the form (chmod) 777. Provided that they have not created and are not going to create any user groups on their server. Here, as such, there is no pronounced and strong distinction. Rather, it will be if you create an owner group and add a list of users to it. But only the server administrator himself can create such a group. When he creates, then he will think what to do with the second digit.
Each digit, for each group, represents
arithmetic sum of three digits,
denoting the following rights:
For example:
All possible 7 addition options for these three digits
on setting access rights to a folder or file for user groups
look like this:
Thus, putting permissions (chmod) like 765,
we will set the following permissions for groups:
Now it is clear that by setting access rights with a combination of numbers 777 (three axes), we open full access to the file for absolutely all user groups. A similar result can be obtained by placing the file in the "Public Documents" folder in Windows.
It should be noted that some combinations of numbers can indicate very crazy situations with file access rights. For example, a combination like 477 will allow access to overwrite and execute a file for everyone except its owner (read - administrator). Alas, this does not happen.
Access rights are always set "in descending order" from the "Owner" to the "Member of the owner's group", and further - to the "Everyone else" group. But not vice versa!
Now that it has become absolutely clear what these three cherished numbers mean - set permissions (chmod) like 777, will not be difficult. To set permissions (chmod) like 777 for a folder or file that is on the server, you need any file manager, which is able to establish and maintain an FTP connection to the server. It could be Total Commander, Windows Commander, CuteFTP, Filezilla or anything else. Personally, I prefer Filezilla's simple and free FTP file manager, even though I'm a fan of Total Commander.
To set permissions (chmod) like 777, we go to the server via FTP under the rights of the Administrator!, after a pair of login-password of the Administrator!. Further, we find and select the required object (folder or file). After that, right-click the context menu "File - Change Attributes". Next, specify the desired attribute (access rights) and click "OK". To "drive in" the desired combination of numbers, you will need to either put or uncheck the checkboxes (checkmarks) near the necessary items, or enter the required code of the form 777 from the keyboard in the window that opens. All FTP file managers support both methods.
Like all aliens from Space, I regularly communicate with representatives of various extraterrestrial civilizations who start building their sites before they arrive on Earth.
Message for aliens:
No need to try to set permissions (chmod) like 777 when working with a well-known package that only simulates the operation of a web server running a Unix operating system on local computer actually running under the Windows operating system. There is no such button.
It is necessary to correctly set the rights to files and folders. You can do this with FileZilla. In general, each server needs its own specific settings, which are best learned from your hosting provider. But usually the rights are set as follows: 444 for files that are in the root directory, 755 for folders in the root directory, 705 for the tmp and logs folders, 555 for your template folder, 755 for the image / stories folder, 755 for the folder Cache 777.
The owner of the new file is the user who created the file.
Files in Linux have two owners: a user (user owner) and a group (group owner) which is understood as a certain list of users and moreover, the owner of the file does not have to be a member of the group that owns the file. Each user can be a member of several groups at once, one of which is called primary (primary), and all the rest - additional (supplementary). This gives more flexibility in organizing access to a particular file. Sharing it is very easy to organize some resource, it is enough to create new group and include in it all those who really need it, and if a person, suppose, has moved to another department and there is no longer a need to use this file. And everything is very simple, you just need to turn it off from this group. Well, what to do with the rest, will they really not be able to at least read the contents of the file, or will they have to be included and excluded from the group each time.
But for all the others (other) that do not belong to either the user owner or group owner, the access rights are set separately and, as a rule, the most minimal. Usually the owner of the file is the user who created it. given file. Owner-group again created file is set to the primary group of the user who created the file, but in some versions of Unix, the group owner is inherited from the group owner of the directory in which the file is created. To change the owner of a file, use chown command taking the name of the new owner and a list of files as parameters: # chown new_owner file1 file2 ...Of course, instead of the file name, there can be a directory name, but the owner of the files inside the directory will not change, for this to happen, it is best to use the -R flag (chown -R). When using this command (however, like most), you can use regular expressions if there is a need to select files that meet a certain criterion (chown - R lys *.c). To change the owner of a group, use the chgrp command, the syntax for using this command is similar to the previous one: # chgrp sales /home/sales/*. By the way, the chown command allows you to immediately set the owner group, for this you need to put a colon immediately after the owner's name without spaces and other characters and write the name of the required group
# chown - R sergej:gljuk * , this option is also allowed # chown - R:gljuk * (i.e. analogue of the chgrp command).
File ownership determines the operations that a user can perform on a file. The most obvious of these is changing the owner and group for some file. These operations can be performed by the superuser and the owner of the file (in BSD UNIX derivatives, only the superuser). If everything is clear with the first, then for example, by writing a program and then making it the owner, for example, a superuser, alas, it will not work, and although the option of changing the owner is allowed, I honestly did not find such an application. But the group, if you are the owner of the file, can only be changed to your primary one (by default it has the same name as the name of the corresponding user). All these restrictions were introduced for several reasons, so that no one could slip any malicious file and so that if a computer has a disk space limit for a particular user, it would not be possible to simply override the owner by overriding it.
Next basic operations which can be performed on a file: these are read access (Read), write access (Write) and execution access (eXecute). These operations are set for each of the three user groups separately. Moreover, only the owner user and, of course, the superuser can do this. The chmod command is used to set the appropriate permissions. It is used in two forms: absolute - when old rights are ignored, and new ones are unconditionally established, and relative - when others are added / removed to existing rights. The absolute form involves specifying file permissions by directly specifying it in octal form. In order to receive complete code required file mode, you just need to add the values of the codes given in the table.
Good health, dear blog readers! We all would like that each or folder located on the hosting server and belonging to the site would be as protected from unauthorized access as possible.
Such protection is provided due to the fact that 90% of hosters use Unix-like operating systems, in which it is possible to regulate access rights to all files and directories. My hosting provider's server, which hosts several of my projects, is no exception.
By the way, be sure to ask by clicking on the link provided. But let's continue. The rules established in Unix differ from the rules of work familiar to many in the operating room. Windows system, where protection in this aspect is not so strong, which sometimes leads to disastrous consequences in the form of virus infection of the system.
On Unix-driven systems, the situation is different, and there is the possibility of making life very difficult for the bad guys who try to take advantage of your hard work over a long period of time. Namely, correctly configure the CHMOD access rights. Our task is to give the minimum possible permissions for accessing files and folders, which, nevertheless, will not violate the correct operation of the site.
Agree, it's a sin not to take the opportunity to seriously strengthen. Of course, in this case, editing some files will take a little longer, but here you have to choose: either optimizing the system security, or ... Below I will try to systematize the information on CHMOD (access rights), because there are several nuances that need to be know the webmaster. So, let's begin.
Access rights differ for different user groups. When trying to connect, the server determines which group to assign a particular user to. All users are divided into three categories:
If you connect to the server via and log in with your username and password, you will be identified as “user”(u) if someone else connects via FTP, it will be defined as group(g) if the user is using a browser, then it falls under the category world(o).
Now about CMOD access rights to files and directories. In fact, they are slightly different, although the designations are the same. File permissions:
Access rights to folders (directories):
A hyphen "-" indicates the absence of any rights. All these rights are prescribed by the administrator, who gets this opportunity by entering a password. If we can set the maximum possible restrictions on CHMOD access rights to certain resource files, then we can practically eliminate the danger of the implementation of our “dirty deed” by virus programs.
For clarity, consider an example where the owner of the file u has all possible rights: to read, write and execute. Users categorized as g (group) are read-write only, all others (w) are read-only. The CHMOD entry would then look like this: "rwx rw- r- -".
But more often webmasters in their practice have to assign certain access rights in digital terms:
Now let's revisit the above example for assigning permissions "rwx rw- r- -". To display the rights of each user, the addition of his rights is used (r read + w write + x execute). Thus, the part of the record for the owner of the file u (user) - "rwx" will turn into 7 (4+2+1). For group member g (group) - "rw-" in 6 (4+2+0) and for other users o (world) - "r- -" in 4 (4+0+0). As a summary, I will present a pivot table with the values of CHMOD permissions, expressed both in letters and in numbers:
Now I will present another table that reflects the total CHMOD rights for all user groups in the format of numbers:
These are the main combinations that are most often used in the work of a webmaster. The rest are formed by analogy. If you are a site or blog administrator, but work with a project without connecting via FTP, you also belong to the “Other users” group. In this case, when working with the site in this mode, you need to take into account the last digit in the CHMOD value.
Usually on the server where your files are WordPress Blog, permissions are set to 755 on folders, and 644 on files that are part of them. This is true when the resource is built using HTML files, however, in modern conditions, CMS (content management systems), which include WordPress, are massively used to build a site. And here there may be objects that need to be written to from the “world” user group. There may be folders where content is loaded, including images.
Therefore appointments chmod rights on certain files must be differentiated. If you enter the site management via FTP, you can perform any action, however, in many cases we work with our project through, and in this case, problems may arise if the rights are too high, and vice versa, if the access rights to one or another file (folder) are underestimated, then the security risk increases. Therefore, based on the above, we can determine some recommendations for the practical application of CHMOD for a WordPress blog:
777 - for folders in which files are constantly being written and erased (for a cache folder)
755 - in relation to folders in which files are constantly written but not deleted
666 - for files in which you need to add an entry from time to time (for example, the .htaccess file)
644 - for read-only files (.php, .html, etc.)
If you need to make some changes while working with the resource, but due to the presence of a ban on editing it is impossible, you need to connect to the hosting server via FTP and change the access rights to 777. However, after making changes to the file, it is recommended to set the previous CHMOD again .
Now more about how to do this operation using. To do this, open the program and connect via FTP to the hosting server. On the left side "Remote server" First, mark the files whose attributes will be edited:
And out context menu caused by pressing right button mice, select "File Permissions". After that, a dialog box will appear. "Change File Attributes":
Here we assign the desired CHMOD values for the selected (or selected) files. But this is only if you selected a file or a group of files. In case you want to set or change the CHMOD values for a directory (folder), when you select "Change file attributes", an analog window will appear, slightly different from the one above, namely:
You see, there are additional settings here. If you check the box next to the line "Redirect to nested directories", this means that the specified access rights will be applied to directories (folders) or files nested in this directory. When the checkbox is checked below, the group of settings located below will become active and you will also need to choose how you want to apply the settings: to all files and directories, only to subfiles, or only to directories.
Today I would like to talk about file and folder permissions (read). This concept came to the world of webmastering from linux (Unix) like systems, on which most hostings work.
And the name Chmod itself is the name of a program in linux that allows you to assign access rights to various objects. And since your site is installed on a server running linux (Unix) of one variation or another, then working with the objects of your website will be subject to the rules established by operating systems linux (Unix).
In Windows, virtually all files are set to maximum permissions, which, in fact, leads to dominance on our computers, and also, in turn, does not let the owners of antivirus companies die of hunger. In linux (Unix) systems, things are different - everything is more complicated, but at the same time safer. If everything is set up correctly and with skill, then you can significantly increase the security of your website.
If everything is left to chance and does not bother with setting the necessary privileges, then the probability of your resource being hacked or infected with malicious code will be very high. Well, if you carried all your data, but what if not?!
Therefore, it is better to immediately, without delay, configure and change Chmod for all important objects in your engine, based on the principle of minimalism. Those. give objects the minimum rights necessary for the correct operation of the website.
Let's first understand the essence of the issue in order to understand what exactly and how we configure. So let's get started. Access rights are separated in relation to files and directories. They are designated the same, but mean a little different.
In turn, with respect to files it is possible:
Let's dwell a little more on the possibility of executing the file. The matter is that in linux any file can be executed. Whether it is an executable is determined not by its extension (the concept of an extension is absent in the Unix file system), but by Chmod access rights. If any file has the “X” execution right, this means that it can be launched for execution.
For directories it is possible:
In Linux systems, all this is distributed by the main administrator of the computer, access to which he gains by entering a password. And if most of the objects will have read-only rights, then there will be practically nothing for viruses to do on such a computer. they will not be able to record themselves there, nor then be fulfilled. It is this result that we need to achieve by setting the necessary Chmod on the objects of our site.
The privileges themselves fall into three categories, depending on who is accessing the object:
The server determines which user group you belong to when you connect to the server. When you connect to a server via FTP, for example, you log in with your username (and password), and then the server assigns you to the “user” (“u)” group.
Other users who also connect via FTP to the server will be assigned to the “group” (“g”) group, and a visitor who comes to your website using his browser falls into the “world” (“o”) group.
Variations of the three possible values "r", "w" and "x" for the three categories "u", "g" and "o" and define chmod to files. If a category is not specified, it is replaced by a hyphen "-". Privileges are specified sequentially in the given order:
After the server assigns the visitor to a certain group, it grants him the rights to act on objects, after which the visitor will be able to read, write or execute the file (depending on what his group is allowed to do with this object).
To see the contents of a directory, it must have the read attribute "r" (for the group to which the server assigned the visitor). To create a file or folder in an existing one, it is necessary that this existing directory has an attribute for the “w” entry.
For clarity, let's look at an example where the owner of the file ("user" - "u") has all the rights: to read, write to it and execute, and all other users only have the read privilege. Such a Chmod entry would look like this: "rwx r-- r--".
Let's consider it in detail: "rwx" (this entry sets the rights to the object for the owner - "u"), "r--" (this entry sets the rights to the same object, but if the visitor is assigned by the server to the group - " g"), "r--" (this entry sets the privileges on the object for all other users - "o").
It turns out that there are three user groups and three possible actions with objects. Not confused yet? Let's put all the above on the shelves in the form of tablets. First, let's see how they differ:
As well as a plate showing various Chmod combinations for different types objects:
Nothing can be done | Access to the directory and its subdirectories is denied |
|
Can see and edit content | You can add, delete, change the catalog file |
|
Run if file is binary | The user can execute a binary file that he knows exists, access or read the directory is prohibited |
You can see that here the entries using Latin letters and hyphens are used to describe access rights, but you have probably already encountered the fact that Chmod is usually given numerically, for example, the well-known combination: 777, allowing everything and everyone.
Indeed, privileges are also indicated by numbers:
Let's go back to the example entry I gave a little earlier: rwx r-- r-- . If we replace the letters and hyphens in it with numbers, in accordance with the rule just described, and at the same time add the numbers in each triple, we get the digital form of this entry: 744.
Those. it turns out that the sum of these numbers shows Chmod in relation to files or a folder. For example:
This table lists all possible combinations of privileges, numerically recorded:
And now let's look at various combinations of entries in numbers, in relation to user groups:
"Owner" | "Group" | "Rest" |
|
perform |
|||
perform | perform |
||
You yourself (except when you access the site via FTP) and all other visitors to your resource belong to the “word” group (everyone else), so to work with the website, we first need to look at the last (third) digit this entry.
In order for the script to “run the file” when the user works with the site, it will be enough that the rights are set on it, starting from “4” (r-- - read only) (5,6,7 are also suitable, but it will be redundant in terms of security).
For the directory in which the file of this script is located, you need to set at least "5" (r-x - you can go to the directory and read its contents, you cannot delete or add). 7 is also suitable, but it will also be superfluous in terms of security.
If you need the script to not only read, but also “write” some data (for example, entered by the visitor), then the minimum rights to the “folder” will still be “5”, but for the “file” you will need “6” (read and write).
Most likely, on the server where you copied the contents of your site engine, the following Chmod to objects will be installed:
If you had a resource consisting of only html pages, then it would be possible to leave everything as it is. But modern sites are built on engines, and there may be objects that need to be written to on behalf of visitors from the "world" group - o (everyone else). These can be directories used for caching pages or those in which pictures, etc., will be loaded in the course of working with the site.
Of course, if you access the site via FTP, you will be able to write to these files or directories, but working with the web interface as a normal user, you may have problems. Therefore, the installation of certain rights must be approached selectively:
for all directories in which files should be written, but do not need to be erased regularly
for folders in which files should be written and erased (for example, for the cache)
for simple read-only files (.html, .php, etc.)
for files that may need to be written to (for example, with .dat databases)
How can all this be put into practice for your site? In principle, everything is simple. To assign access rights, you can:
But if Chmod cannot be changed to any files, then you can try to assign them PHP means. You can use the following code:
You will need to replace file_name_x.php and directory_name_x with the real names of the files and folders you want to change to. Accordingly, 666 will be set for files, and 777 for directories. Put this PHP code into a file using any text notepad (recommended) and give it a .php extension, like prava.php for example.
copy prava.php via FTP to the directory in which it is impossible to assign access rights by regular means. IN address bar browser, write the path to prava..php) and press "Start" or enter on the keyboard. That's it, now the privileges will be completely changed by means of PHP.
For Joomla, immediately after installing it, you can set 777 to the following directories:
Administrator/backups/ administrator/cache/ administrator/components/ administrator/modules/ administrator/templates/ cache/ components/ images/ images/banners/ images/stories/ language/ language/en-GB/ language/ru-RU/ media/ modules/ plugins/ plugins/content/ plugins/search/ plugins/system/ templates/
After you install all extensions for Joomla and make the final settings, Chmod to most of the above directories should be in order to increase the security of the site return to 755. You will need to leave 777 for directories with cache, with backup and with pictures.
For engine files located in the root of the site, except for sitemap.xml, it is better to set 444 (read-only for all visitor groups). On setting.php, it is sometimes advised to even set 400.
I can give exactly the same advice about setting access rights to objects in the SMF and WordPress engines. It is desirable, if possible, to leave on a permanent basis for directories 755(except for the cache, pictures, backup directories specified above, and maybe some more, as needed), and for files - 644.
It is better to put 444 on the files in the root of the site.
If, when working with the site, there is a problem with the inability to write the settings to some file or the inability to create some kind of directory, then you can temporarily put high rights on them (777, for example), and then return everything back (out of harm's way). And by no means don't leave(for ease of use of the site) unreasonably high Chmod.
Good luck to you! See you soon on the blog pages site
You may be interested
ASCII text encoding (Windows 1251, CP866, KOI8-R) and Unicode (UTF 8, 16, 32) - how to fix the problem with krakozyabry 
OpenServer - modern local server and an example of its use for installing WordPress on a computer 
What's happened URL address What is the difference between absolute and relative links for site 
Yandex search on the site and online store 
Sitemap in xml format for Yandex and Google - how to create a sitemap in Joomla and WordPress or in an online generator
