Geek Answers Handbook

PHP file permissions

I am setting up shared hosting. My users have SFTP access to the server to download their contents. I use separate PHP processes that work as their respective users (one per site). I want users to not see the contents of other users by default (with the exception of the web server like any other unprivileged client), but the web server (acting as the www-data user / group) should be able to read everything. Right now I am transferring ownership of files on the WWW to individual users and the group for www data and using the GID bit to distribute the ownership of the groups to new files / directories (users are not in the www-data group).

This worked well, but now I am facing a problem. Some sites use wordpress, and when they upload files, the GID set bit is lost, which means that the web server does not have access to it. Is there a way to configure PHP or Wordpress (more likely) on chmod files and directories for the correct permissions?

Note. I do not use safe mode in PHP, so it should be able to add the set GID bit.

Update: I tried setting the values โ€‹โ€‹of FS_CHMOD_DIR and FS_CHMOD_FILE in the wordpress configuration. I assumed that this would allow me to chmod uploaded files to everything I wanted. However, this did not affect the permissions of the new downloads. From the information in codex, I think that these settings apply only to the kernel update function.

Thanks!

+4
source share
2 answers

This is not an answer to a specific question, but rather a solution to the problem as a whole. Assign ownership of the user web directory to user / www data and set permissions to 750, not the SGID bit. Users must not belong to the www-data group. However, within this directory, ownership of the group can be configured on the primary user group (for example, users). Permissions inside can be 644 and 755 for files and subdirectories, respectively. Security is ensured by the fact that other users will not be able to enter or navigate this web directory and, therefore, will not be able to access any files inside, even if they have sufficient permissions to access the files themselves. This will limit both users connecting via SFTP and the execution of PHP commands.

Since this solution does not use the GID bit, it solves the original problem. Downloaded files can be left with rights and permissions by default.

Little demo:

transistor# mkdir www transistor# chown :www-data www transistor# chmod 750 www transistor# ls -l total 4 drwxr-x--- 2 root www-data 4096 Feb 20 20:59 www transistor# touch www/file1.txt transistor# mkdir www/subdir transistor# touch www/subdir/file2.txt transistor# ls -l www total 4 -rw-r--r-- 1 root root 0 Feb 20 21:00 file1.txt drwxr-xr-x 2 root root 4096 Feb 20 21:00 subdir transistor# ls -l www/subdir total 0 -rw-r--r-- 1 root root 0 Feb 20 21:00 file2.txt transistor# exit giedrius@transistor :/tmp/sandbox$ cd www bash: cd: www: Permission denied giedrius@transistor :/tmp/sandbox$ ls www/subdir ls: cannot access www/subdir: Permission denied giedrius@transistor :/tmp/sandbox$ cat www/file1.txt cat: www/file1.txt: Permission denied giedrius@transistor :/tmp/sandbox$ cat www/subdir/file2.txt cat: www/subdir/file2.txt: Permission denied giedrius@transistor :/tmp/sandbox$ sudo -su www-data transistor% ls www file1.txt subdir transistor% cat www/file1.txt transistor% cat www/subdir/file2.txt transistor%
+3
source

see this article .
and this .

+3
source

More articles:


All Articles