The myth of safe permissions

The lower the better?

The set of permissions 442 seams quite harmless, right? Very low numbers. However, this set of permissions grants write access to everyone on the server (remember 2 means write access). Because php files are interpreted into executed code, we give extreme power to anyone that can write to them.

Only the owner, if anyone should have write access to php files.

On the other hand, 644 is quite a high number, but it’s considered as one of the safest while still working in shared hosting environments. But again, if www-data is the owner, 644 is not much different than 666, which is almost the same than 777.

So what are the right permissions?

The right permissions are the one you minimally need to get things working.

It’s not about numbers or combinations, what you don’t want is your server writing to your script file, especially php files.

There are many ways to achieve this, and it depends a lot about how much control you have over your hosting. If you have root shell access, you can do anything. If you are on shared hosting plan, you must be more inventive.

In shared hosting environment you can’t just set the owner of the files. Your ftp user is the owner of all the files and all you can do is set permissions through your ftp client .  The right permissions in such case are 644 for most of the files and 755 for most of the folders. Some folders however must be writable by the server (cache, uploads, etc.). These folders should either have permissions 777 or be owned by the server. Anything less won’t work because the server must be able to enter the directory (execute), read the files (read) and write uploaded files (execute).

There’s a way to make a directory be owned by the server. You have to run in your browser a script that will create it.

The script:

// ~/createdir.php 

That’s right: there’s just one line in the script. Or more lines if you will be creating more directories. The second argument are the permissions. If you will never need to access your uploads folder through ftp, you may also set that to 0700.

Upload this script to the parent folder and make the parent folder temporarily writable by the server (777). Navigate to the script in your browser. Check through ftp if the directory was successfully created and delete the script. Now set the parent folder back to what it was (presumably 755) and you’re done.

It’s not a bad idea to disable php scripts in directories writable by the server. You can do this with .htaccess, however you won’t be able to write to the directory owned by the server. That’s why you should update the above script, so that it will create the .htaccess file for you:

// ~/createdir.php 
,"php_flag engine off
Options -Indexes");
chmod(__DIR__."/uploads/.htaccess", 0600);
echo "Uploads folder created with php and index disabled. 
Dont forget to delete this script and change the permissions 
of the parent folder back to 755";

In conclusion

It’s not just about permissions. For your scripts to be safe, you should understand what is happening, who has which rights and what these rights enable him to do.

In a follow up post, I will write how to setup ownership and permissions on your WordPress installation.