Permissions ----------- On a Unix-like system, an ls -l command displays permissions and ownership for each file or directory displayed. The first part is a series of symbols to describe the permissions. For example a typical directory and file may have these permissions:
drwxr-xr-x dir -rw-r--r-- file The first column with a d (for directory) or - (for file) identifies the type of resource being listed. There are other options such as l (for symbolic link), b (for block device), etc. After this there are three groupings of "rwx" for read, write, execute. If a value is represented by a - then it is off for that user. There is a binary value associated with each bit position in the permission values: r=4, w=2, x=1. Add the values for each one which is on. In the examples above, the directory has permissions of 755 (4+2+1=7, 4+0+1=5) and the file is 644 (4+2+0=6, 4+0+0=4). New files or new directories will often get permissions like the samples based on the umask setting. Running the umask command will reveal the current value for your user. For these examples, it will usually be 0022. The three groupings relate to the owner of the file or directory, group associated with the file or directory, and every other user on the system. The name of the user and the name of the group are identified in an ls -l listing. The first name is the owner and the second is the group. Normally, a non-privileged user can only set group associations on a file or directory if they are a member of that group. It can be useful to set the ownership of the file to the log-in user (you) and the group to the webserver user (often "nobody" or "apache", etc.). Then, if you used permissions of 664, you could write to the file, the members of the group could write to the file, but other users could not. However, in a shared hosting environment, any PHP script on the server could, in theory, write to the file. The same sort of problems exist if you set a file's permissions to 666. Then the owner, members of the group, and any other user have read and write permissions on the file. You say that it's not a big deal if someone can overwrite the file. However, if they are able to write to it, they can change its name. If they can do that, they can write PHP or other executable content and do all sorts of damage until the file can be restored to a proper value. Files which are writeable by users other than the owner should not be in the main web space. Often you will have a directory above or otherwise outside the web space which is considered a "home" directory of sorts. You could put a writeable file or directory and let PHP scripts access this. A prime example of this issue is where to store files uploaded by web users to your page, especially anonymous ones. The files should be placed in a directory outside of the web space. Then, when the content of the files needs to display these to the web, create a handler script to access the non-web directory. This script can check to ensure that the user is logged in, file is a certain type, etc., before the file contents are grabbed. James Keeline
