How do UNIX file permissions work?

From Joomla! Documentation

This page contains changes which are not marked for translation.
Other languages:
English

Unix/Linux file permissions can be confusing. The basic UNIX permissions come in three flavors:

Owner Permissions: Control your own access to files.
Group Permissions: Control access for you and anyone in your group.
Other Permissions: Control access for all others.

In Unix, when permissions are configured, the server allows you to define different permissions for each of these three categories of users. In a web server environment, permissions are used to control which website owners can access which directories and files.

What Do Unix Permissions Look Like?[edit]

When viewing your files through an FTP client or from the servers command line:

filename.php username usergroup rwx r-x r-x

The first entry is the name of the file, the next entry is your username on the server, the second entry is the group that you are a member of and the last entry is the permissions assigned to that this file (or directory). If you notice, I have intentionally spaced out the permissions section, I have grouped the 9 characters into three sets of three. This separation is key to how the permissions system works. The first set of three permissions (rwx) relate to the username seen above, the second set of three permissions (r-x) relate to the usergroup seen above and the final set of three permissions (r-x) relate to anyone else who is not associated with the username or groupname.

Owner (User) Relates to the User Name[edit]

The Owner (User) is normally you. These permissions will be enforced on your hosting account name.

Group Relates to the User Group[edit]

The Group permissions will be enforced on other people that are in the same group as you. Within a hosting environment, there is rarely other people in the same group as you. This protects your files and directories from being made available to anybody else who may also have a hosting account on the same server.

Other Relates to Everyone Else[edit]

The Other permissions, these will be enforced on anybody else on the server that is either not you or not in your group. So in a web serving environment, remembering that no-one else is normally in your group, then this is everybody else accessing the server except for you. Each of the three sets of permissions are defined in the following manner:

r = Read permissions
w = Write permissions
x = Execute permissions
Owner Group Other
r w x r w x r w x

Permissions are normally expressed as a numeric value, something like 755 or 644. How does this relate to what we have discussed above? Each character of the permissions is assigned a numeric value. This is assigned in each sets of three, so we only need to use three values and reuse them for each set.

Owner Group Other
r w x r w x r w x
4 2 1 4 2 1 4 2 1

Now that we have a value that represents each permission, we can express them in numeric terms. The values are simply added together in the respective sets of three, which will in turn give us just three numbers that will tell us what permissions are being set. If we are told that a file has the permissions of 777, this means that the following is true.

Owner Group Other
r w x r w x r w x
4 2 1 4 2 1 4 2 1

Thus...

  4+2+1 4+2+1 4+2+1
=   7     7     7

The Owner of the file would have full Read, Write and Execute permissions. The group would also have full Read, Write and Execute permissions. The rest of the world can also Read, Write and Execute the file. The standard, default permissions that get assigned to files and directories by the server are normally:

Files = 644
Directories = 755

These permissions would allow, for files:

644 = rw- r-- r--
Owner has Read and Write
Group has Read only
Other has Read only

and for directories:

755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only

Things can get a little complicated when we start talking about shared web servers. The web server software will be running with its own username and groupname. Most servers are configured to use either apache and apache or nobody and nobody as username and groupname. Here is the problem. Your web server runs as its own user, and this user is not you or in your group, so the first two sets of permissions do not apply to it. Only the world (other) permissions apply. Therefore, if you configure a permissions set similar to 640 on your website files, your web server will not be able to run your website files.

640 = rw- r-- ---
Owner has Read and Write
Group has Read only
Other has no rights

The web server is assigned no permissions at all and cannot Execute, Write or more importantly, even Read the file to deliver its content to a website visitor's browser. If a directory was to be assigned 750 permissions, this would have the same effect, because the web server does not even have permissions to read files in the directory, even if the files inside that directory had favorable permissions.

750 = rw- r-x ---
Owner has Read and Write
Group has Read and Execute
Other has no rights

Directories have an extra quirk, if a directory does not have the Execute permission set in the World set then even if Read and Write are set, the program is not run as the user or group. It will still not be able to access the files within the directory. The Execute setting allows the program to Execute commands in the directory, so without it being on the program (in our case a web server) cannot execute the Read command, thus cannot deliver your file to the user's web browser.

How Does this Relate to Joomla?[edit]

In the first instance this would be important during the web installer process. If you can remember when you ran the Joomla! web installer, we were looking for specific directories to be designated as writable. We see quite a numbers of posts either stating that there were problems during the installation with permissions or asking what permissions are recommended. Some even consider the message, asking for Writable permissions to be too vague.

Unfortunately, as the web installer does not know how your server is configured, it cannot be more specific. Once you understand the permissions settings and know a little about web serving environments, you will find that the term writable is actually specific and a more than adequate description of what Joomla! needs. Thinking back to the above information, you may remember that there are three places where write permissions maybe set:

Owner Writable
Group Writable
Other Writable

Also remember that the web server generally doesn't run as your own user or in the same group. When you run the web installer from a browser, it is the web server trying to access the files, thus it is the Other permissions that will apply to it. If the Other permissions do not allow the web server to Read, Write or Execute commands in the Joomla! directories, you will receive the message saying that the directories are not writable.

In this case, you will need to configure the Other permissions to be 7 on the directories listed in the web installer. So your total permissions might be something like 757, in the worse case you might need to set 777. These open permissions must be reset to 755 after the installer runs to assist in the security of your directories and files.

757 = rwx r-x rwx
Owner has Read, Write and Execute
Group has Read and Execute
Other has Read, Write and Execute

To make things more confusing, many hosting firms make use of software called phpsuExec or suExec. These tools change the way the web server runs. Where the web server would not normally run as your username, in this case, it does. The use of the other permissions may not be required. Now you may only need to configure directories to be writable to your own username and groupname. This allows directory permissions to be set as 755 or 775 instead of 757 or 777.

755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute
Other has Read and Execute
775 = rwx rwx r-x
Owner has Read, Write and Execute
Group has Read, Write and Execute
Other has Read and Execute

The web server will still need Execute set for the username and Read, Execute groupname permissions set so that it can Execute the Read command on files inside the directory. Again, these permissions may be demoted back to 755 after the web installer completes.

That's the basics for directories covered, what about files? This is where things get a little simpler. Most of the files that Joomla! makes use of will be quite happy with the 644 default permissions.

644 = rw- r-- r--
Owner has Read, Write
Group has Read
Other has Read

This is valid if you do not have a need to write to the files from the web server. The same rules apply as for directories if you do have this need.

If your server needed directory permissions to be set to Other Writable for the install then this file will probably also need to be 757 or 777. Leaving this file as 757 or 777 is dangerous though, as you are letting everyone have Write access, many website exploits take advantage of this fact, so in general it is not recommended to leave this file with these permissions.

If your web server has one of the SU tools installed and you only needed to configure 755 on directories for the installation, you will probably also only need to set 755 or 775 on this file to allow editing through the Admin interface, and these permissions are generally accepted as more secure than 757 or 777.

In conclusion, what permissions should be set for the Joomla! installation? As you can see, it depends!

In general, after the installation, any insecure 7 settings can be reset to something more secure. For example:

Files = 644
Directories = 755

These permissions would allow, for files:

644 = rw- r-- r--
Owner has Read and Write
Group has Read only
Other has Read only

and for directories,

755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only

If you have SSH shell access, the following commands can be run from the command line to reset all files and directories back to the server defaults of 755 and 644. Change directories to the top directory ("/") of your Joomla! installation, then run:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

If you only have FTP access, this can be a time-consuming job. Unless you changed more directories during the installation than was requested, you should only need to reset about ten directories.

Keep in mind that to install any extensions or templates after the actual Joomla! installation you may need to elevate the default permissions again on the appropriate directories just for the installation period. You may then demote them after the extension is installed.

If you decide to use caching, the cache directory will need to be writable by the web server user to allow it to write its temporary files.