Sign in to follow this  
deadimp

[web] FTP (& HTTP?) File permissions - PHP, Mac

Recommended Posts

What exactly does each level of file permissions do (coming from either Owner, Group, and Public)? To word it better, what does each level entail? I ask this because on a server (on Mac OS X 10), I've disabled all Public options (so that the mode is 770), yet I can still view the file on using a web browser. Also, how do I know what level of access is needed for PHP scripts (running as a server module)? In order to write to a file on the server via a script, I have to make sure that Group has Write enabled. NOTE: Using FileZilla 2.2.31 to change/view attributes

Share this post


Link to post
Share on other sites
Quote:

What exactly does each level of file permissions do (coming from either Owner, Group, and Public)?


I don't know about OS X 10, but if it's similar to Unix, then for a directory, the "read" right is the capacity to see the names of files directly under that directory, "write" is the right to add and remove files directly under that directory, "execute" is the right to do a "cd" to the directory.

For a file, I guess you know what read/write/execute all mean. I described the rights for the directory explicitly to make you notice it's possible to remove a read-only file.

Then there are this three sets of permissions, "owner", "group" and "other". Each file and directory has an owner and a group.

When the owner tries to access a file/directory, the permissions in the "owner" set are used.
For someone else than the owner who belongs to group of the file, it's the "group" set that is used.
Otherwise, the permissions in the "other" set are used.

There are other complications such as the set_uid bits, ACLs which I don't describe here.

Quote:

I've disabled all Public options (so that the mode is 770), yet I can still view the file on using a web browser.

What do you mean by "view the file"? Visualize its content, or see its name appear in a directory listing?
If it's the former, then your web server must be running with a user id which happens to be the owner of the file, or under another user id who belongs to the group of the file.
If it's the latter, then that's also possible if the directory containing the file has its "read" permission set for "other".

Share this post


Link to post
Share on other sites
I understand the concepts of read, write, and execute, but I don't know who exactly Owner, Group, and Public are.
Is Owner the server administrator, the user in the FTP account? Is Group the user/application accessing the file/directory? Is Public anyone who tries to download the file ("view the file") via normal HTTP?
[Sorry I didn't word it better before]

Quote:
"execute" is the right to do a "cd" to the directory

Why would you need explicit permission to change the directory when you're able to view it?

Share this post


Link to post
Share on other sites
Quote:
Original post by deadimp
I understand the concepts of read, write, and execute, but I don't know who exactly Owner, Group, and Public are.
Is Owner the server administrator, the user in the FTP account? Is Group the user/application accessing the file/directory? Is Public anyone who tries to download the file ("view the file") via normal HTTP?
[Sorry I didn't word it better before]


I think what you have to understand is that each process (i.e. a program being executed) has a user id and group id, typically those of the user who started the process.
Then each file/directory also has a user id and group id.
If the file's uid matches the process' uid, then the Owner permissions are considered.
Otherwise if the file's gid matches the process' gid, then the Group permissions are considered.
Otherwise the Public permissions are used.

I don't know about how your system is setup, but usually the uid of the http server is "root" (dangerous), "nobody" or "http" (more secure).

You should be able to pick up things from there, otherwise just ask again :)

Quote:

Quote:
"execute" is the right to do a "cd" to the directory

Why would you need explicit permission to change the directory when you're able to view it?


In order to e.g. see the content of its subdirectories, or the content of files in this directoy.

Share this post


Link to post
Share on other sites
Quote:
In order to e.g. see the content of its subdirectories, or the content of files in this directoy

Isn't that the function of read?

Most of my questions were answered, I'm just still not sure about the permission structure with the Mac's server.
Thanks for the help!

Share this post


Link to post
Share on other sites
Check out what user and group the webserver is running. If you're running Apache then look in the httpd.conf file. If the webserver's user is in the group that is specified on the file, then the second number from 770 is used. That's a 7 so it's allowed to do everything.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this