Home / server / Questions / 52579
Accepted
Ankur
Asked: 2009-08-11 23:37:32 +0800 CST

Unix setting permissions on an entire folder

  • 772

This is a noob question.

I am in a folder called images - none of which show up on my website. I believe the permissions are not set correctly.

What do I do to set them correctly so that they will show up. What permisions do I give, and how do I do that, do I navigate up a level first ? Can I set them all in one go?

Thanks.

unix permissions

7 Answers

  1. Best Answer

    I would recommend the find command for setting permissions:

    To make all directories search-able and readable by everyone by everyone (see this link for Unix directory permissions, the permissions have different meanings from files):

    sudo bash -c "find /var/www/root/images -type d -print0 | xargs -0 chmod oga+rx"

    For the files:

    sudo bash -c "find /var/www/root/images -type f -print0 | xargs -0 chmod oga+r"

    And to make sure nobody members of group all can't write to anything:

    sudo bash -c "find /var/www/root/images -type f -print0 | xargs -0 chmod a-w"

    The reason I set the permissions of the owner, group, and all is because even if all has read permission, if the owner doesn't, the owner won't be able to read the file.

    Execute is permission 'x' is generally refereed to as 'search' permissions when used with directories. You will also need search permission on all the directories up to the root, from the above link about directory permissions:

    Search permission is required in many common situations. Consider the command "cat /home/user/foo". This command clearly requires read permission for the file foo. But unless you have search permission on /, /home, and /home/user directories, cat can't locate the inode of foo and thus can't read it! You need search permission on every ancestor directory to access the inode of any file (or directory), and you can't read a file unless you can get to its inode.

    So in my example, you will need search (+x) permission on /var, /var/www, /var/www/root, etc as well.

    Don't use a+rX, sorry to put it in a post, but I need to code tags a don't know how to use them in a comment. The following doesn't only effect directories, it can effect files as well if a user already has execute permission.

     chmod -R a+rX images

    Example:

    [kbrandt@kbrandt-opadmin: ~/scrap/X] touch XnotOnlyDirectories     
[kbrandt@kbrandt-opadmin: ~/scrap/X] ls -l                         
total 0
-rw-rw-r-- 1 kbrandt kbrandt 0 2009-08-11 06:29 XnotOnlyDirectories
[kbrandt@kbrandt-opadmin: ~/scrap/X] chmod u+x XnotOnlyDirectories
[kbrandt@kbrandt-opadmin: ~/scrap/X] ls -l                         
total 0
-rwxrw-r-- 1 kbrandt kbrandt 0 2009-08-11 06:29 XnotOnlyDirectories
[kbrandt@kbrandt-opadmin: ~/scrap/X] cd ..                         
[kbrandt@kbrandt-opadmin: ~/scrap] chmod -R a+rX X                 
[kbrandt@kbrandt-opadmin: ~/scrap] ls -l X                         
total 0
-rwxrwxr-x 1 kbrandt kbrandt 0 2009-08-11 06:29 XnotOnlyDirectories

    From the chmod man page:

    execute/search only if the file is a directory or already has execute permission for some user (X)

    When it comes to Apache:
    There is no definitive right way that I am aware of, you can use the permissions I have set and run Apache as the user nobody, or you can user a group or user for apache such as 'apache' or 'www-data'. See this link. If go the nobody route, make sure nobody has the right userid:

    [kbrandt@kbrandt-opadmin: ~/scrap] id nobody                       
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
    • 4

  2. Use the following command

     chmod -R a+rX images

    -R: makes the command run recursively, traversing all directories under it.

    a+rX: makes the files readable by everyone, and directories "enterable" by everyone. The capital X gives the execute permission only to directories, not regular files. (edit: unless the files already have execute permission for some user)

    images: name of the folder, you can give a full path like /home/user/public_html/images

    By the way you cannot chown a file unless you are root (edit: or the chown binary suid root)

    • 2

  3. use chmod command with -R parameter to do the action recursively. man chmod command will show you the help.

    • 1

  4. Don't forget to chown the files to the correct website owner account/group as well. if you copied it using root account for instance, the webserver most likely won't have access to the files. Set image file permission to 644 using chmod.

    Use -R te recurse subdirectories.

    • 1

  5. (I'll try to explain the WHY, not just the how)

    You have two issues to deal with: ownership and permissions.

    There are two kinds of ownership: user, and group. Good web administration leaves the web server owned by "nobody" (or equivalent) and the files it displays owned by the web administrator. The group ownership and be the web administration group, if more than one person, or just the default group of the web admin user.

    There are three kinds of permissions: user, group and world. Each RWX in the ls -l command gives the read, write and execute permissions of the user first, then group, then world.

    If you are serving up pictures to everyone and anyone, setting world read access to your images directory and the images themselves will solve your problem without bothering with ownership. If the images are restricted to logged-in members only, world r/w/x should be turned off (appear as --- in ls -l )

    At a minimum, the web admin user should have read/write access to the images, or rwx . (There are exceptions for locked-down, managed websites, but I have a feeling this is not the case here).

    When you are done, your ownership permissions should look like this:

    chmod 774 *.jpg
rwxrwxr--   webadmin  webgroup   # Allow web admin and group to modify, everyone to view


chmod 744 *.jpg
rwxr--r--   webadmin  webgroup   # Allow only web admin to modify, everyone to view

chmod 740 *.jpg
rwxr-----   webadmin  webgroup   # Allow only web admin to modify, only him and webgroup to view, this means web server must be in webgroup.

chmod 740 *.jpg
chgrp nobody *.jpg
rwxr-----   webadmin nobody      # If apache user is nobody/nobody, this is better
    • 1

  6. You might want to check out chown instead of chmod. Chown == Change OWNership which should be used and files given permissions of the user that is serving the service. httpd generally runs under www-data or httpd user and group on most modern linux distros.

    • 0

  7. You don't mention if you're regularly adding files to this folder.

    I've found that if a folder is regularly added to then setting the group sticky bit to the folder corrects things without thinking.

    Eg having group ownership set as the webserver group and group read/sticky permissions on the folder means that new files get set to that group and readable. If there's a team managing the folder then group write also helps.

    Doesn't always work when moving files into a folder though.

    • 0