|
The permissions part should just work out of the box without fiddling.
There's no need to set the files to nobody so Apache can access them as Apache doesn't need the files to be owned by nobody for them to be accessible.
That's why the files are 644 or rw-r--r-- - that is, they're readable to everyone including Apache. |ccess control is enforced via the permissions on the public_html directory.
If you have a PHP script creating files, it will do so under the user's uid and gid and you should ensure that files and directories created have the world read bit set (ie mode 755 for directories and mode 644 for files). You'll only need to worry about this if these files are .html or .htm and are directly accessed by apache, which is unusual.
644 means that files are readable and writeable by the owner of the file and readable by users in the group owner of that file and readable by everyone else.
755 is the same thing, it just has the execute bit set for everyone. The execute bit is needed to be able to change into the directory. This is why directories are commonly set to 755.
Regular HTML files need to be viewable by the Apache user (user nobody on cPanel servers). Since this user is typically not in the group of the ownership of the file (and if it were, and in a shared hosting environment every user would have to be in this group, which kind of defeats the purpose of limiting to 640 or 750) the world section of the permissions needs to be set to readable.
Now in a suPHP environment, PHP files can just as easily be set to 600. This is because the PHP files are read by the web server as the username specified in the virtualhost section in Apache. In a non-suPHP environment though, PHP files are still read by the apache user and therefor would require a world-readable bit. Again, this would only apply to PHP parsed files, not regular .html or .htm files.
Most scripts have separate config files which include login information. And yes, for those files I would recommend that they are set to a permission setting of 600 to prevent others from reading it. Other PHP files could also be set to 600, but you're really not saving yourself anything if the PHP files have no critical information included. For example, setting the permissions to Wordpress's main index.php file to 600 kind of defeats the point because someone can just download Wordpress from Wordpress's site and read the index.php file.
suPHP and PHP as CGI really are not a standard. PHP developers cannot recommend to set the permissions on the files to 600 because if PHP is running as a DSO module on the server, then using 600 permissions will not work. This is one reason why I think suPHP and PHP as CGI should be standard on any shared hosting server, but the owner of that server or the owner of the account on that server needs to realize that it is important to set the permissions on these config files to 600 and ignore the recommendations in the software's specifications.
phpSuExec | suPHP
-----------------------
755 (owner:owner) Folders
600 (owner:owner) PHP Scripts
400 (owner:owner) Configuration Files (config.php, etc)
600 (owner:owner) Script files requiring WRITE access
640 (owner:nobody) Non-Script Files, HTML, Images, etc
750 (owner:nobody) CGI/Perl Scripts
If no access to setup group ownerships then set Non-Script files to 644 and CGI / Perl Scripts to 755
DSO (Apache Module)
--------------------------
750 (owner:nobody) Folders
640 (owner:nobody) PHP Scripts
640 (owner:nobody) Configuration Files (config.php, etc)
660 (owner:nobody) Script files needing to have "WRITE" access
640 (owner:nobody) Non-Script Files, HTML, Images, etc
750 (owner:nobody) CGI/Perl Scripts
If no access to setup group ownerships then set Folder to 755, PHP Scripts and Configs to 644, Non-Script files to 644, Write Files to 666, and CGI / Perl Scripts to 755
under SuPHP (where the OWNER bit is relative), you can set PHP scripts as tightly as 0400 and they would work fine though 0640 is most common.
0750 / 0755 Folders (OWNER = Owner Login : GROUP = nobody) /
Alternate if not able to set GROUP
0600 General PHP Scripts
0400 Configuration Scripts (IE: config.php) and / or
scripts that complain about being insecure or WRITABLE
0640 / 0644 General Files or Files that need WRITABLE access and this
includes all your standard HTML files, Stylesheets, Images, Media Files, Etc.
*** These would be the ones the script authors tell you incorrectly to do 0777 ***
750 / 755 Perl / CGI Scripts
http://forums.cpanel.net/f5/permissions-issues-139133.html
|
