What is the best practice for permissions with PHP files? When should they be writable, or executable? What owner is best? I'm using an Apache server.
99.2k 18 18 gold badges 139 139 silver badges 362 362 bronze badges asked Jun 27, 2011 at 17:13 Kirk Strobeck Kirk Strobeck 141 1 1 gold badge 1 1 silver badge 5 5 bronze badges Are you talking about the file permissions of the web server (eg: apache)? Commented Jun 27, 2011 at 17:07 great, thnx for the tip Commented Jun 27, 2011 at 17:12You need to provide more details, how are you uploading your files? (SSH/SFTP, FTP, controlpanel?, . ) You mentioned ownership, do you have root access to the box? What user is Apache running? If possible, what distro are you using? See also webmasters.stackexchange.com/q/13658/6597
Commented Jul 2, 2011 at 8:10 Also see What permissions should my website files/folders have on a Linux webserver? on Serverfault. Commented May 28, 2016 at 17:00PHP scripts should be editable by the owner, readable by a group the apache user is in, and optionally readable by anyone. They don't need to be executable. Ideally, most of the php scripts should be outside of a web-accessible folder, especially any configuration files. This way even if there is a problem with the apache configuration, your php files will never be exposed to the web. Often you'll just have an index.php page which calls require_once() on a script in the protected directory outside the web-accessible folder. A .htaccess file rewrites all incoming requests so that they go through the index.php, which then uses the router in the protected directory to figure out what to serve.
answered Jun 27, 2011 at 17:43 Bob Baddeley Bob Baddeley 396 1 1 silver badge 4 4 bronze badgesI like this answer but could you expand with some ie. 0777, 755, 655 kind of numbers, I need to know how to actually set the files
Commented Jul 5, 2011 at 16:21@Kirk Strobeck: editable (read/write) by the owner, readable by a group, and readable by anyone = 644
Commented Jul 5, 2011 at 17:29as Marco said, permissions go in order of owner, group, anyone, where read is 4, write is 2, execute is 1, and you add them together. So if you want something read only, it would be 4. If you want read and write, it's 6 (4+2), and if you want all permissions, it's 7 (4+2+1). Most php files will have 644 because the owner has to be able to edit it, everyone needs to be able to read it, and nobody needs to execute it (in the strictly unix sense. php is the executable and it's reading the files, parsing them, and doing stuff with them, so unix isn't actually executing them).
Commented Jul 5, 2011 at 18:38also, the 0 at the beginning is optional and useless. It's just saying the number is octal, but since permissions never go above 7, it's pointless to specify.
Commented Jul 5, 2011 at 18:39it's still not clear how to deal with php upload routines? if we have 644 permissions for files and 755 for directories, php won't be able to write to project directory. if we set 775 permission for folder, httpd will be able to write, but the files it creates will have httpd owner and it will be impossible to modify them using regular user account.
Commented Jul 14, 2015 at 10:30You may be confusing the roles of PHP and the file system. PHP does not have read, write, or executable permissions. Those are handled by the underlying filesystem (ext4, NTFS, etc).
You can use PHP functions such as is_writable() and is_readable() to determine the permissions of a given file, and chmod() to change them.
answered Jun 27, 2011 at 17:07 George Cummins George Cummins 141 3 3 bronze badgesBasically most functions / methods attempting to write to a file in PHP should have an idea like this:
function writeSomething( $file ) < if ( !is_writable( $file ) ) < // attempt to make it writable if ( !chmod($file, 0777) ) < // could not make file writable // log the error. return false; >> // perform the writing here.. >
Is a good idea to make sure that you can access the file before attempting to do it because it's always better to show the user a custom error like "There was a problem" than showing a classic PHP error like "Unable to write to file. " or something.
Hope I can help!
answered Jun 27, 2011 at 17:13 David Conde David Conde755 for folders and 644 for php and other files.
answered Feb 24, 2015 at 19:32 107 6 6 bronze badgesThis is similar to advice given in other answers. Can you explain what makes your answer more correct, link to documentation, and explain how to set permissions?
Commented Feb 24, 2015 at 21:34Why does Other have read on files and read+execute on folders (0644 and 0755)? Shouldn't entitlements be limited to User and Groups for a web server on Linux? What benefit does it provide? What risk does it expose?
Commented May 28, 2016 at 17:030655 is the best permission level. There's really no reason for changing your files above this. Of course there may be a folder here or there that requires some write permissions, but for everything else 0655 will work.
As a tip, make sure that all of your files are owned by apache. This can easily get changed if you ftp'd your files onto the server. So make sure you set them to apache for production sites. This will eliminate a lot of permission issues when running such a tight ship.
answered Jul 2, 2011 at 8:06 capitalaudience.com capitalaudience.com 101 2 2 bronze badgesumad? 655 = read+write for owner, read+execute for others. Bad Idea(tm) Whether the files are owned by apache or not depends on the purpose of the files. For a static website, it's better that the files are not writable to avoid attacks in case a hole is found in the code.
Commented Jul 2, 2011 at 8:11Here again: Why should any (PHP-)file be executable? Also - if the files are owned by Apache, you will have problems to change anything via FTP or SVN if you haven't root access. Better to use a user-group, which includes the Apache (on most webspace-accounts i saw it was www-data).
Commented Jul 5, 2011 at 11:09Commonly used permissions for Cpanel are:
Why does Other have read on files and read+execute on folders (0644 and 0755)? Shouldn't entitlements be limited to User and Groups for a web server on Linux? And why are you allowing anyone to read configuration files (0444)? What benefit does it provide? What risk does it expose?
Commented May 28, 2016 at 17:05PHP in itself is a scripting language. I'm gonna assume you (op) want to know about best file permissions in web folders.
It really depends on what you're trying to achieve with the server you're with as well as what remote users should have access to, etc.
If you're only using the server solely for the purposes of publishing web pages via PHP scripts, then the file permissions 755 would work well (not 655), that way the owner of the PHP file has full control of it while the rest of the world (including the group the user is in) will only be able to read the file and execute it.
For improved security, then use file permissions 711 so that the world would at best only be able to execute the file. Also, consider adding functionality to the apache server that causes it to switch the user on every request for even greater security. By this, I mean add mod_ruid2 module, or suPHP module, etc.