Secure file permissions

From ULYSSIS documentation
Revision as of 23:13, 6 June 2024 by Arnodb (talk | contribs)

PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by other users, because Apache reads these as it's own user.

Recommended permissions

  • www directory (and other directories from where websites are served), including subdirectories: 0705/drwx---r-x
  • Static website files (css, images, html, ...): 0604/-rw----r--
  • Configuration files containing secrets/passwords: 0600/-rw-------
  • Other directories and files that are not part of a website: 0600/-rw------- or 0700/-rwx------

Securing configuration files containing secrets/passwords

If you have any files that you want to protect from the prying eyes of other users, such as API keys, first you need to ensure that the directory containing your important file, is not writeable by other users. This is easiest to do by creating a new directory, dedicated to housing your protected files. For this you can run mkdir safe, followed by chmod 700 safe and finally moving the file into the safe directory. Then you can make your file readable and writeable solely by you. To do this you run chmod 600 safe/name_of_file.

In Cyberduck, you can do this by making a new directory, right-clicking on it, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions so that for "Owner", all the boxes ("Read", "Write" and "Execute") are ticked and for "Group" and "Other", no boxes should be ticked. Next you can move the protected file into the safe directory. Once you go into the safe directory, you can then finish by right-clicking on the secret file, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions according to the following screenshots:

Config-php-dropdown.png

Config-php-permissions.png


Securing database login info

Suppose you have a file called config.php, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using chmod 600 config.php. In Cyberduck, you can do this by right-clicking on the config file, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions according to the following screenshots:

Config-php-dropdown.png

Config-php-permissions.png

Securing uploads directory

Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called uploads, you can remove write rights for others with chmod go-w uploads. In Cyberduck, you can do this by right-clicking on the config file, clicking on "Info", clicking on the "Permissions" tab, and changing the permissions according to the following screenshots:

Uploads-dropdown.png

Uploads-permissions.png