How to change file permissions in APACHE to improve security.
The Objective: To recursively update the files / folders within your public web folder to prevent unauthorized changes.
The Rub: Permissions can prevent modification but are NOT infallible. Anyone with valid FTP or SSL access may still update files associated with that account.
File Ownership: All Files / Folders have an OWNER and a GROUP association. In most APACHE hosting environments, the GROUP and OWNER of each file / folder will the username for the hosting account. The same account username is typically provided as the FTP or SSL username, which gives full control over all files / folders.
File Permissions: Files and folders have 3 permission flags (Read, Write, Execute) for each of the 3 access groups (Owner, Group, Public). In the example below, we will be setting all folders for READ / EXECUTE and all files for READ. In some environments, EXECUTE may not be required and should be avoided.
For many installations, there are specific files / folders that may need to have WRITE permissions. Also, depending on your specific *Nix / Apache configuration, you may need to adjust the specific permissions to achieve the desired effect.
The FIND & CHMOD Commands
First we need to connect VIA SSL to the web server. In windows, you can use a great tool called Putty. Once connected, you will navigate to the folder that you wish to start your changes from. In many cases, this will be /home/username/public_html.
All PHP File Permissions:
we search for Files (-type f) matching *.php (-name "*.php"), then execute CHMOD with the permission 0444 for each
find . -type f -name "*.php" -exec chmod 0444 {} \;
All HTML File Permissions:
we search for Files (-type f) matching *.html (-name "*.html"), then execute CHMOD with the permission 0444 for each
find . -type f -name "*.html" -exec chmod 0444 {} \;
All Folder Permissions:
we search for Folders (d), then execute CHMOD with the permission 0555 for each
find . -type d -exec chmod 0555 {} \;
Find folders that have write permissions on your hosting server recursively
find $PWD/ -type d -exec ls -Ald {} \; | grep drwxr-xr-x
** Handling Exceptions **
Ok, now we've got some errors because some folders need WRITE permission so that the software can store images, logs, etc.
Navigate to the folder in question, for example /home/username/public_html/images
Then override your previous changes with a similar command, giving each folder the 0755 permission (Read / Execute / Owner-Write).
find . -type d -exec chmod 0755 {} \;
CHMOD Octals Worksheet
0777 = 0UGO = (Zero), User, Group, Other
(R)ead = 4
(W)rite = 2
E(X)ecute = 1
If we want to know what 0754 means, we can do this!
0 = Ignore first digit - always Zero
7 = 4 + 2 +1 or Read + Write + Execute
5 = 4 + 2 or Read + Execute
4 = 4 or Read
If we want to create the octal value, we can do this!
To solve for:
U = Read + Execute
G = Read
O = Read
We would add:
U = 4 + 1 = 5
G = 4
O = 4
Then shift a Zero 0 to the front to result:
0544
