I'm on a shared host, and a bit confused about file permissions:
- My website directory /home/user/www is owned by user:nobody
- Everything inside /home/user/www is owned by user:user (?)
Most people would tell me I have to do the following (summarized):
chown -R user:nobody /home/user/www
find /home/user/www -type d -exec chmod 750 {} \;
find /home/user/www -type f -exec chmod 640 {} \;
But I can't `chown' anything, and since files will be owned by user:user, I don't know what the permissions should be.
I noticed I can chmod 600 some PHP scripts, while CSS stylesheets need to be world readable..?
I'm looking for the best security approach in this case! And please don't tell me I need to move to a dedicated server: why would I ask any question then!?
The files in the site
www
subdirectory should be readable by the effective user-id of the running web-server. The Apache web-server often runs as user nobody, group nobody or user www-data, group www-data. So this user or group needs read permissions.If the PHP scripts write to files, those files need to be writeable by the effective user-id of the running Apache service.
How exactly this is arranged depends on your hosting provider.
If the site is public and the scripts contain no passwords, no exploitable security loopholes (e.g. race conditions), it may be OK to give world-read permissions. I would aim to have all files owned by your personal user-id, not by a user "nobody" or "user". Only you should have write permissions on files in the www subdirectory (and it's subdirectories). Even if your site contains no personal or valuable data - you don't want it to become taken over by fraudsters or spammers.
A couple of useful resources are