Damn linux permissions

Sick and tired of spending endless hours on linux permissions? You are not alone. At least they are here for a good reason.

This article is written upside down. First there is the interesting information about linux permissions you have been looking for, then comes the more academic information for those looking for a deeper understanding.

Linux permission numbers explained

There are three numbers in a permission sequence. Each number counts from 0 to 7 and here is what each of them means:

Noticed something wrong with this table? Of course not, but there are at least two things to notice.

One thing is that number counting from 0 to 7 is only one number. You usually need three numbers. Like a 644 or a 777. Unix systems (linux, mac etc.), unlike windows, have permissions for each file but they also have an owner and a group. This information is usually overlooked. They only tell you about permissions but not about the owner and the group of a file. Owners are users of the linux system and groups are groups of users. I will give you a few useful information later about that, but for the moment, the three numbers in a permission sequence correspond to the

Owner, Group, Others

So, a 644, means that the owner of the file has permission 6 (rw-) and the group and the rest of the users for this file have a permission 4 (r--).

The second important thing to know about that table is for people working on websites. In the web, we usually don't need to execute files; we just the read and write permissions. But directories need to open, so the execute permission is required only for directories. Some of the people making suggestions for permissions tell you to make everything a 777, but as I will explain later this can sometimes be a security risk.

File owners and groups

*** This is the reason why we wrote this article ***

As I explained above, each file in unix systems (linux, mac etc.) has a user as its owner, and a group it belongs to. If you are coming from windows, this may sound weird. Even if you are a proud Mac user, you don't usually see this kind of information because Apple wants to keep it simple, so you end up proud and under-educated.

In the web environment, there are usually two users we care for. These two users are the ones that create a lot of confusion. So focus and make sure you understand this section.

Our websites are hosted on web servers. The web servers running linux have lots of users in them. One of them is you. When your webhosting administrator opens an account, s/he creates a user which represents you. In most cases the administrator asks you to use an FTP program to transfer files. The word FTP is something many webmasters are familiar with, so usually your user name may be referred to as the "FTP user".

The other important user in linux systems is the "web" or "apache" or "php" user. This is not you, obviously. This user corresponds to the web server (apache) and PHP.

Now here is what creates the confusion. When you upload a file with your FTP program, the files are created with you as their owner. If you run scripts and the scripts create files, their owner is the web user. It is very common for a website to have some files owned by the FTP user, and some other files by the web user. This is the reason why most of the times you set the right permissions, but despite your best intentions, your effort fails. This is also the reason why you may have set the permissions they told you, but a web virus still managed to hack your files.

Let's see a real world example to make all this easier to understand. Let's say you just used your FTP client to upload the files of your favorite CMS (pick anyone you like, WordPress, Joomla!, Drupal, anything). Your files are uploaded with the FTP program so the owner is you. Now, let's say some script from the CMS is trying to modify files. The permission 644 will probably not be enough because it gives a 6 (read + write) to the owner of the file, which is the FTP user, but only a 4 (read) to the web user. So in this case you would need to make it a 646 or most likely a 666, or even a 777, so that "others" have enough permissions to modify the file. Now, let's re-run the same scenario but this time we assume that you uploaded a zip file with your CMS, and you unzipped it from the web browser. If you did that, the web server is the one responsible to extract the files, so all the unzipped files will have the web user as their owner. They still have a 644 permission like before. This time though a 644 is enough because it gives a 6 (read + write) to the web user.

Next on this article you will find some good ideas on how to protect your website by setting the right owner to a file. For the time being you need to understand that in linux web servers, some files belong to you and some to the web user. The FTP programs usually don't inform you about the owner and group of files. If you want to know who is a file's owner is by using a file management software from within your web site.

Why don't they abolish owners and permissions?

Because of viruses and security. One of the most important user in unix systems is the "root" user. The core files in a unix system belong to the root. The root is the king of the unix core and no-one is allowed to mess with his files. This is one of the main reasons why Linux and Mac have so few viruses, if any. There is of course the security of your own files in the web server which is also benefited from this infrastructure.

There are lots of reasons why your website may get hacked or defaced even if permissions are set correctly. This doesn't mean that this system of owners and permissions is a bad thing. If you learn how it works it will help you sort out the confusion and make you feel safer instead of angry.