Secure file permissions: Difference between revisions

From ULYSSIS documentation
No edit summary
 
(15 intermediate revisions by 4 users not shown)
Line 1: Line 1:
PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by other users, because Apache reads these as it's own user.
PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by others, because Apache reads these as its own user.


=== Recommended permissions ===
=== Recommended permissions ===


* Homedirectory: See [[#Homedirectory permissions | homedirectory]]
* www directory (and other directories from where websites are served), including subdirectories: <code>0705/drwx---r-x</code>
* www directory (and other directories from where websites are served), including subdirectories: <code>0705/drwx---r-x</code>
* Website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Static website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>
=== Home directory security ===
For the permissions mentioned above to fully work, it is important for the parent directories to have the correct permissions. Our system already gives your home directory the correct permissions for this. Other users cannot read your files, or even find out what files exist. Even in case you mistakingly give everyone every permission to one of your files, only you can access it, because others do not have permission to go into your home directory.
{{notice|Important|If you have any secret files in your www directory, it may be publicly accessible via your website! Therefore, please make sure any files you want to protect are not in the www directory.}}


=== Securing database login info ===
=== Securing database login info ===


Suppose you have a file called <code>config.php</code>, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using <code>chmod 600 config.php</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:
Suppose you have a file called <code>config.php</code>, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using <code>chmod 600 config.php</code>. In Cyberduck, you can do this by right-clicking on the config file, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions according to the following screenshots:


[[File:config-php_dropdown.png]]
[[File:Config-php-dropdown.png]]
[[File:config-php_attrs.png]]
 
[[File:Config-php-permissions.png]]


=== Securing uploads directory ===
=== Securing uploads directory ===


Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called <code>uploads</code>, you can remove write rights for others with <code>chmod go-w uploads</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:
Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called <code>uploads</code>, you can remove write rights for others with <code>chmod go-w uploads</code>. In Cyberduck, you can do this by right-clicking on the config file, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions according to the following screenshots:
 
[[File:Uploads-dropdown.png]]


=== Homedirectory permissions ===
[[File:Uploads-permissions.png]]
In order to prevent other users entirely from accessing files in your homedirectory, the permissions on your homedirectory should only allow yourself and the www-data user access. This is by default configured properly for you from the 29th of July, 2018 onward. Note that you should still follow the guidelines as detailed above. If you have changed your permissions on your homedirectory and want to restore the defaults, you can execute <code>nfs4_setfacl -s /home/user/acl ~</code>. The file <code>/home/user/acl</code> contains the default permissions.


[[Category:Files]]


[[File:uploads_dropdown.png]]
[[Category:Security & anti-spam]]
[[File:uploads_attrs.png]]

Latest revision as of 08:13, 11 June 2024

PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by others, because Apache reads these as its own user.

Recommended permissions

  • www directory (and other directories from where websites are served), including subdirectories: 0705/drwx---r-x
  • Static website files (css, images, html, ...): 0604/-rw----r--
  • Configuration files containing secrets/passwords: 0600/-rw-------
  • Other directories and files that are not part of a website: 0600/-rw------- or 0700/-rwx------


Home directory security

For the permissions mentioned above to fully work, it is important for the parent directories to have the correct permissions. Our system already gives your home directory the correct permissions for this. Other users cannot read your files, or even find out what files exist. Even in case you mistakingly give everyone every permission to one of your files, only you can access it, because others do not have permission to go into your home directory.

NoticeImportant

If you have any secret files in your www directory, it may be publicly accessible via your website! Therefore, please make sure any files you want to protect are not in the www directory.



Securing database login info

Suppose you have a file called config.php, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using chmod 600 config.php. In Cyberduck, you can do this by right-clicking on the config file, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions according to the following screenshots:

Config-php-dropdown.png

Config-php-permissions.png

Securing uploads directory

Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called uploads, you can remove write rights for others with chmod go-w uploads. In Cyberduck, you can do this by right-clicking on the config file, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions according to the following screenshots:

Uploads-dropdown.png

Uploads-permissions.png