Clarify the File Permission methods for PHP Execution under Linxu,
I. File permissions and ownership
1. The file has three types of permissions. In order to facilitate the period, you can use numbers instead. In this way, you can add or subtract numbers and use a number to identify the permissions of the file, for example, 7 = 4 + 2 + 1 indicates that all three read/write execution permissions are available, 6 = 4 + 2 indicates that the read/write permission is not available, and so on.
2. rbac permission management for Lenovo web applications. Users can also manage user permissions in linux. Users have user names and user groups. Generally, users with the same name will be created at the same time.
Log on to the root account to create a directory and a file.
# Create a directory mkdir abc # create a file touch abc.txt # view ls-all
You will find:
# Directory starting with d and file starting, and drwxr-xr-x 2 root 4096 Jun 6 abc-rw-r -- 1 root 0 Jun 6 abc.txt
First look at the blue part above. The first part is the identifier. Remove the first part and separate each three digits. Take the abc folder as an example: d | rws | r-x
In the abc folder, the owner owns rwx (7), the group owns rx (5), and the other owns rx (5 ).
Similarly, the red part of the file above is the name of the owner and the name of the group, that is, the owner of the abc folder is root and the group is root. At this point:
A. If the root user accesses this abc folder, it is equivalent to the owner and has 7 permissions.
B. If a new user named test user group is root to access the abc folder, it is equivalent to group with 5 permissions.
C. If a new user named test is used to access the abc folder, it is equivalent to other and has 5 permissions.
Ii. roles of various File Permissions
I still want to test it, but it is too troublesome. Let's talk about the result directly. You can create a new user and modify the permissions to test the user.
1. Directory
A. Enter the directory, that is, the cd command. The required permission is the execution permission (x)
B. view the files in the directory, that is, the ls command. The required permission is read permission (r)
C. Create and delete folders/files in the directory, that is, name mkdir/touch. The required permission is write permission (w)
By the way, the directory only affects the next level, and the generation is not affected. It is like a directory abc/sub/. If abc does not have the w permission, but sub has the w permission, you can create a file in sub, of course, abc also needs to have the x permission; otherwise, it cannot be entered, not to mention the creation, but as long as it can be in (you can switch the root administrator's method), it will no longer be affected by abc, it is only affected by sub.
In general, our directory will grant the 5 (rx) permission, that is, the read and execute permission. Only the 7 (rwx) permission is granted for directories that need to be created such as Image Upload or cache.
2. Files
A. open the file and run the cat/vim command. The required permission is read permission (r)
B. File Modification. You can use the cat/vim command to open and save the modification. The required permission is the write permission (w)
C. File Execution, which can be executed directly./abc. out. The required permission is the execution permission (x)
It should be noted that php (or shell), whether it is command line execution or web-side execution, is called execution. In fact, it is to read the file to the php kernel for parsing, therefore, you only need to have the read permission (r.
Generally, 4 (r) permissions are granted to our files, that is, read permissions. Only logs, caches, and other files that need to be written to the files can 6 (rx) permissions be granted.
The reason why the preceding statements do not contain 755,777 and 644 permissions, but only a single permission is because the permissions of your website directory cannot ensure the relationship with the users used during execution, that is to say, the user during execution may be the owner, group, or other.
Iii. php Execution Permissions
We have to have a user name to log on to linux during ssh connection operations. Similarly, if php wants to process php-related files, it also operates under a user, where are users created or defined? Generally, they are created when the php environment is installed. For example, in an apache or nginx environment, users and user groups are created by default, this user is used to read php Data. You can check the configuration file to confirm:
# Apache in the configuration file httpd. confUser wwwGroup www # nginx in the configuration file nginx. confuser www;
Or you can view the process by name:
# View apache process ps-ef | grep httpd # view nginx process ps-ef | grep nginx # view php-pfm for ps-ef | grep php-pfm
Apache is used as the regular meeting to show:
Root 1663 1 0 09:14? 00:00:00/www/wdlinux/apache/bin/httpd // master process www 1697 1663 0? 00:00:05/www/wdlinux/apache/bin/httpd // sub-process www 1698 1663 0? 00:00:05/www/wdlinux/apache/bin/httpd
The first line shows which user is executing it, mainly in non-root mode. The preceding description shows that www users are running the apache process to process PHP files.
Note that if php-pfm is installed, You should also check the user name and user group for php-pfm execution. (No installation, so no practice)
By default, it may be nobody, apache, or other users and user groups, which have been modified at the top. At this time, we should use ls-all in the website directory to determine which user the website file belongs to. Here are several situations to explain:
A. For example, the website owner is like this:
drwxr-xr-x 2 www www 4096 Jun 6 10:23 systemdrwxr-xr-x 2 www www 4096 Jun 6 10:23 tmp-rw-r--r-- 1 www www 0 Jun 6 10:23 index.php...
The website owner is www, And the php performer is www. It means that the website owner has the permission. The 55 In 755 in the system folder above does not work at all. As long as it is 7xx, it will take 7 (rwx).
B. If the website owner is like this:
drwxr-xr-x 2 test www 4096 Jun 6 10:23 systemdrwxr-xr-x 2 test www 4096 Jun 6 10:23 tmp-rw-r--r-- 1 test www 0 Jun 6 10:23 index.php...
The website owner is test and belongs to www, while the php performer is www and the execution group is www, which means that the website has the group permission in the same group, 7 and 5 in the above system folder do not work, as long as it is x5x, It will be executed with 5 (rx) permissions.
C. If the website owner is like this:
drwxr-xr-x 2 test test 4096 Jun 6 10:23 systemdrwxr-xr-x 2 test test 4096 Jun 6 10:23 tmp-rw-r--r-- 1 test test 0 Jun 6 10:23 index.php...
The website owner is test and the group to which the website belongs is test, while the php performer is www and the execution group is www, which means that there is no relation at all and has the other permission, 75 in the above system folder 755 does not work, as long as it is xx5, It will be executed with the 5 (rx) permission.
Therefore, you cannot simply change the permission to 755,644 or something. You also need to confirm the executor of the program and the website owner to determine the permission.
At present, many integration environments have set the php Execution permission and website directory to www to save time (well, lanmpv3, etc.). At this time, after creating the directory, it is usually 755, after the file is created, it is 644. When php is executed, the directory permissions are 7 (all directories have the permission to create and delete files) and 6 (all files have the write permission ), isn't this safe? Normally, the directory is 5 and the file is 4. If you have special requirements, set the permission to 7. In this case, modify the user and user group of apache/nginx, and modify the owner of the website file and all groups, to ensure the security of your website.
The above is just a basic permission description.
The above section clarifies the File Permission Method for PHP Execution under Linxu, which is all the content shared by the editor. I hope to give you a reference and support for the help house.