CHMOD Files & Folders for Best Security in Apache Print

  • 7

How to change file permissions in APACHE to improve security.

The Objective: To recursively update the files / folders within your public web folder to prevent unauthorized changes.

The Rub: Permissions can prevent modification but are NOT infallible.  Anyone with valid FTP or SSL access may still update files associated with that account.

File Ownership: All Files / Folders have an OWNER and a GROUP association.  In most APACHE hosting environments, the GROUP and OWNER of each file / folder will the username for the hosting account.  The same account username is typically provided as the FTP or SSL username, which gives full control over all files / folders.

File Permissions: Files and folders have 3 permission flags (Read, Write, Execute) for each of the 3 access groups (Owner, Group, Public).  In the example below, we will be setting all folders for READ / EXECUTE and all files for READ.  In some environments, EXECUTE may not be required and should be avoided.

For many installations, there are specific files / folders that may need to have WRITE permissions.  Also, depending on your specific *Nix / Apache configuration, you may need to adjust the specific permissions to achieve the desired effect.


The FIND & CHMOD Commands 

First we need to connect VIA SSL to the web server.  In windows, you can use a great tool called Putty.  Once connected, you will navigate to the folder that you wish to start your changes from.  In many cases, this will be /home/username/public_html. 

All PHP File Permissions:
we search for Files (-type f) matching *.php (-name "*.php"), then execute CHMOD with the permission 0444 for each

find . -type f -name "*.php" -exec chmod 0444 {} \;

All HTML File Permissions:
we search for Files (-type f) matching *.html (-name "*.html"), then execute CHMOD with the permission 0444 for each

find . -type f -name "*.html" -exec chmod 0444 {} \;

All Folder Permissions:
we search for Folders (d), then execute CHMOD with the permission 0555 for each

find . -type d -exec chmod 0555 {} \;


Find folders that have write permissions on your hosting server recursively

find $PWD/ -type d -exec ls -Ald {} \; | grep drwxr-xr-x


** Handling Exceptions **

Ok, now we've got some errors because some folders need WRITE permission so that the software can store images, logs, etc.

Navigate to the folder in question, for example /home/username/public_html/images

Then override your previous changes with a similar command, giving each folder the 0755 permission (Read / Execute / Owner-Write).

find . -type d -exec chmod 0755 {} \;


CHMOD Octals Worksheet

0777 = 0UGO = (Zero), User, Group, Other

(R)ead = 4
(W)rite = 2
E(X)ecute = 1

If we want to know what 0754 means, we can do this!

0 = Ignore first digit - always Zero
7 = 4 + 2 +1 or Read + Write + Execute
5 = 4 + 2 or Read + Execute
4 = 4 or Read

If we want to create the octal value, we can do this!

To solve for: 
U = Read + Execute
G = Read
O = Read

We would add:
U = 4 + 1 = 5
G = 4
O = 4

Then shift a Zero 0 to the front to result:



Was this answer helpful?

« Back