ISPA Winner 2018 16 Years of Krystal

Web Hosting

Please find below our list of Web Hosting guides to help with your hosting account.

Understanding file and directory permissions

This article was posted in: Web Hosting

The theory behind chmod permissions

Your cPanel account is based on a server that runs a Linux operating system. The basic file permissions system allows you to apply specific permissions for three different Classes of access:

  • The user - this is your cPanel username.
  • The group - this is also your cPanel username - you get your own group (yay!)
  • other - everyone else in the world.

The available permissions for each of these entities are:

  • Read - allows the contents of the file to be read.
  • Write - allows the file to be written to and modified or deleted.
  • Execute - in the case of a file, it can be executed (like a CGI script). In the case of a directory, it allows the directory to be opened.

Therefore each file and directory has 9 permissions flags, made up of 3 for the user, 3 for the group, and 3 for everyone else (other.) This is explained graphically below (a picture always helps!)

Each of the 3 flags (Read, Write, eXecute) is represented by a number - 4 for Read, 2 for Write, and 1 for eXecute.

Some examples

When you hear us say that a file should be chmod 600, this means that

  • User has permissions to Read and Write (4+2 = 6).
  • The Group has no additional permissions (0).
  • Other users (rest of the world) also have no permissions (0).

When you hear us say that a directory should be chmod 755, this means that

  • User has permissions to Read and Write and Traverse (execute) the directory (4+2+1 = 7).
  • The Group has permissions to Read and Traverse (execute) the directory (4+1 = 5).
  • All Others have permissions to Read and Traverse (execute) the directory (4+1 = 5).

How the permissions affect files and directories differently

Understanding what Read, Write and Execute means with regards to a file is pretty self explanatory. However, what these permissions mean to directories and what they mean for the files contained within them is not always clear, so here goes.

In this example, lets suppose the file below are in the public_html/ directoru and all files are set to the same user and group to keep it simple.

├── [drwxr-xr-x]  dir1
│   ├── [-rw-r--r--]  file1.txt
│   ├── [drwx------]  dir3
│       └── [-rw-r--r--]  file3.txt
├── [drwxr-xr-x]  dir2
└── [-rw-r--r--]  file0.txt

If we were accessing this directory as Other (for example the way Apache accesses static files in your website [css, jpg, htm etc]) then we would be able to read file0.txt because it is in the home folder and is readable by Other (the rightmost 'r').

We would also be able to access and read file1.txt because the directory containing it (dir1) has the 'x' execute bit set for the Other user. At first you might think that is because dir1 has the 'r' Read bit is set for Other that this would allow you to read files in it, but this is not the case. For directories, the read bit only allows you to list a directory's files NOT open them.

For the above reason we would not be able read the contents of file3.txt - although the file itself gives the Other user 'r' Read permissions, because the parent directory gives no permissions to Other, that's it - you're out!

In fact, every directory from the root path on the filesystem '/' all the way to the final parent directory of the destination file must allow execute permissions if you are to be able to read files from within it. Therefore under the following scenario we would still not be able to read file3.txt as the Other class.

├── [drwxr-xr--]  dir1
│   ├── [-rw-r--r--]  file1.txt
│   ├── [drwxr-xr-x]  dir3
│       └── [-rw-r--r--]  file3.txt
├── [drwxr-xr-x]  dir2
└── [-rw-r--r--]  file0.txt

Even though dir3, which contains file3.txt has the 'x' execute bit set for Other, we would never get this far, because dir1 does NOT have the 'x' bit set for Other. Therefore we would be unable to traverse the filesystem any further than the current working directory "." at the top.