Secure file permissions: Difference between revisions

From ULYSSIS documentation
(Created page with "PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However,...")
 
No edit summary
Line 3: Line 3:
=== Recommended security settings ===
=== Recommended security settings ===


* Homedirectory: <code>0701/drwx-----x</code>  
* Homedirectory: <code>0701/drwx-----x</code>  
* www directory (and other directories from where websites are served): <code>0705/drwx---r-x</code>
* www directory (and other directories from where websites are served): <code>0705/drwx---r-x</code>
* Website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>


=== Securing database login info ===
=== Securing database login info ===

Revision as of 10:22, 16 July 2018

PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by other users, because Apache reads these as it's own user.

Recommended security settings

  • Homedirectory: 0701/drwx-----x
  • www directory (and other directories from where websites are served): 0705/drwx---r-x
  • Website files (css, images, html, ...): 0604/-rw----r--
  • Configuration files containing secrets/passwords: 0600/-rw-------
  • Other directories and files that are not part of a website: 0600/-rw------- or 0700/-rwx------

Securing database login info

Suppose you have a file called config.php, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using chmod 600 config.php. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

Config-php dropdown.png Config-php attrs.png

Securing uploads directory

Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called uploads, you can remove write rights for others with chmod go-w uploads. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

Uploads dropdown.png Uploads attrs.png