|
|
 |
|
|
 |
 |
|
|
|
Tutorial: Preventing access to your directories
On UNIX type operating systems, all files and directories have a set of permissions that control who can do what with a file or directory.
This set of permissions is divided in three different settings which indicate what the "Owner", the "Group" and "Other[s]" can do with your file.
The "Owner" is you, "Other" is other people on the same server, and "Group" is a group of users that a system administrator can assign
(all users on a UNIX system belong to a "group" that have certain privileges). Each of these settings are subdivided in seven more settings,
which indicate "write", "read" or "execute" permissions. These settings are assigned numbers, which will be explained below.
When you create a directory or file (or upload it), its default settings are:
- Owner: read, write, execute
- Group: read and execute
- Other: read and execute
This means that other users on the same server can at least read your website files and execute CGIs on your directory. Don't worry, this is not
a security concern as they can't delete or modify files.
Note: Users on the server can't do this through FTP, only through Telnet.
Sometimes, you may want to change permissions to either block or open access to your directories. Permission changes can be done
with the command "chmod", and it can be done through Telnet or through FTP (most FTP clients can do this. Check their help file for more info).
For example, to give yourself total access to a file or directory, but absolutely no access to anyone else, the permission you would have to set is permission
700 (numbers to be explained below). The first number is the "Owner" permission, the second one is the "Group" permission and the third one is the
"Other" permission.
Warning: the webserver operates as a "Other" user. So any directory you block from local users will also not be
viewable by users through the web. There is one exception to this: the webserver acts as "Owner" when accessing files from the /cgi-bin/ directory.
This means that you can set such directory and its files to permissions 700, and the webserver could still execute and access files in it. This
has security benefits: your CGIs usually contain confidential information, so you can block access to them to everybody.
Here are the numbering scheme for permissions:
4: read permission
2: write permission
1: execute permission
Combinations of those would be:
7: read, write and execute (4+2+1)
6: read and write (4+2)
5: read and execute (4+1)
And on and on...
So, permission 755 would be:
Owner (7): read, write and execute
Group (first 5): read and execute
Other (second 5): read and execute
Permissions 755 is the default permission given to any file or directory that you create.
File/dir permissions can also be set individually, and through a different method that is easier to most. The command:
chmod g+x file
gives "executable (x)" rights to the "Group" permission. More examples would be:
chmod o-x file (removes execute permissions to "Other")
chmod u+r file (adds read permission to user/owner)
chmod a+x file (give executable rights to all)
And this ends our short tutorial on file/dir permissions. For more information on the chmod command
itself, enter the command "man chmod" on your
account's shell.
Note: you can also password protect a directory. Check our support section for information on
setting up a password protected directory.
|
|
|
|
10 May 2004
