File permission method when PHP executes under Linxu

Source: Internet
Author: User
Tags root access
The following small series for everyone to bring an article to clarify PHP in Linxu execution of the file permissions method. Small series feel very good, now share to everyone, also for everyone to make a reference. Let's take a look at it with a little knitting.

I. File permissions and Affiliation

1, the file has three types of permissions, in order to facilitate the period, you can use the number to replace, this can be by the number of the addition and subtraction, with a number can identify the permissions of the file, such as 7=4+2+1, read and write execution 3 permissions have, 6=4+2, indicating that there is read and write permissions do not execute permissions and so on

2, the Lenovo Web application RBAC Rights Management, Linux under the same user Rights management, the user has a user name and user group, generally create a user with the same name of the user group.

Log in to the root account to create a new directory and a file

#新建目录mkdir abc# New file Touch abc.txt# view Ls-all

When viewed, you will find:

#d开头的为目录,-Starting with a file, and L start with a connection such as Drwxr-xr-x  2 root root 4096 June 6 10:23 abc-rw-r--r--  1 root root  0 June 6 10:23 ABC. Txt

First look at the blue section above, first the identifier, remove the first bit, followed by every three bits, the ABC folder as an example: D | RWS | R-x | R-x

So the ABC folder says owner owns RWX (7), Group has RX (5), and other has Rx (5).

The same red part of the file above, followed by the owner's name and the name of the owning group, that is, the owner of the ABC folder is root, and the owning group is root. At this time

A, if the root user to access the ABC folder, quite with owner, with 7 of the rights

b, if a new user name test user group for root access to the ABC folder, the equivalent of group, with 5 of the rights

C, if a new user name test user group for the test of the access to the ABC folder, it is equivalent to other, with 5 of the rights

Ii. the role of the various rights of the document

Originally also want to Test side said, but too troublesome, directly say the result. You can create a new user yourself, and then modify the permissions to test it yourself.

1. Catalogue

A, enter the directory, that is, the CD command, the required permissions are execute permissions (x)

b, view the files within the directory, the LS command, the required permissions for Read permissions (R)

C, create delete directory folder/file, that is, Mkdir/touch name, need permission for write as permission (W)

By the way, the directory only affects the next level, the generational does not affect, like a directory abc/sub/, if ABC does not have W permission, but the Sub has W permission, you can create a file in sub, of course, ABC also need to have X permission, otherwise it will not go in, let alone create, But as long as it can go in (by toggling the root administrator's method), it will no longer be affected by ABC and will only be affected by sub.

Generally our directory will give 5 (RX) permissions, that is, read and execute permissions, only the image upload or cache directory needs to be created only to give 7 (rwx) permissions

2. Documents

A, file open, can be opened with the Cat/vim command, the required permission is Read permission (r)

b, file modification, can be opened and saved with the Cat/vim command, the required permission is write permission (W)

C, file execution, can be directly./abc.out execution, required permission for execute permission (x)

What needs to be explained here is that PHP (or shell, etc.), whether it is the command line execution or web-side execution, called execution, actually reads the file into the PHP kernel to parse, so long as the Read permission (r) can.

Generally our file will give 4 (r) permission, that is, read permission, only the log, cache and so on need to write to the file will give 6 (RX) permissions

The reason for not saying 755,777, 644 permissions, but simply to say individual permissions, is because the permissions of your site directory are not guaranteed to be related to the user who is executing it, that is, the user at the time of execution may be owner, may be group or other

Iii. Permissions for PHP execution

Our own SSH connection to the Linux operation must have a user name in order to log in operation, the same PHP to deal with PHP-related files, but also to work under a user, and where the user is created or defined, usually in the installation of PHP environment, such as the creation of, such as Apache, Nginx and other environments will default to create users and user groups, and PHP read with this user to read, you can check the configuration file to confirm:

#apache在配置文件httpd. Confuser wwwgroup www#nginx in config file nginx.confuser www www;

Or to view the process by name:

#查看apache进程ps-ef|grep httpd# View Nginx process ps-ef|grep nginx# view PHP-PFM for Ps-ef|grep PHP-PFM

To Apache as a regular show:

Root   1663   1 0 09:14?    00:00:00/www/wdlinux/apache/bin/httpd//main process www    1697 1663 0 09:14?    00:00:05/www/wdlinux/apache/bin/httpd//Sub-process www    1698 1663 0 09:14?    00:00:05/www/wdlinux/apache/bin/httpd

The first line shows which user is performing it, mainly on non-root. The above description is the WWW user running the Apache process to process PHP files.

It is important to note that if you have PHP-PFM installed, you should also need to see the user name and user group at PHP-PFM execution. (not installed, so did not practice)

The default may be nobody or Apache and other users and user groups, the above is modified. At this time should be in the site Directory with Ls-all to confirm that the next site files belong to which user, in several cases:

A, such as the site owner:

Drwxr-xr-x  2 www 4096 June 6 10:23 systemdrwxr-xr-x  2 www www 4096 June 6 10:23 tmp-rw-r--r--  1 www www  0 June 6 10:23 index.php ...

The site owner is www, and the PHP performer is www, which means that there is the owner permission, 755 of the above system folder 55 does not work, as long as the 7xx will be 7 (RWX) permissions to execute.

B. If the site owner is this:

Drwxr-xr-x  2 Test www 4096 June 6 10:23 systemdrwxr-xr-x  2 Test www 4096 June 6 10:23 tmp-rw-r--r--  1 Test www
  0 June 6 10:23 index.php ...

The site owner is test, the owning group is WWW, and the PHP performer is www, the execution group is WWW, that means that in the same group, with group permissions, the above system folder 755 in 7 and 5 does not work, as long as the x5x will be 5 (RX) permissions to execute.

C, if the site owner is this:

Drwxr-xr-x  2 test test 4096 June 6 10:23 systemdrwxr-xr-x  2 test test 4096 June 6 10:23 tmp-rw-r--r--  1 Test tes T  0 June 6 10:23 index.php ...

The site owner is test, the owning group is test, and the PHP performer is www, the execution group is WWW, that means that there is no relationship, with other permissions, the above system folder 755 in 75 does not work, as long as the xx5 will be 5 (RX) permissions to execute.

So it is not easy to say that the change permission is 755,644 or something, you also need to confirm the program's performer and the owner of the site to determine permissions.

At present a lot of integration environment in order to save Trouble (ah, Lanmpv3, etc.), the PHP execution permissions and the site directory are set to WWW, at this time generally created after the directory is 755, after the creation of the file is 644, when PHP executes, The directory permissions that work are 7 (all directories have create delete permissions) and file permissions 6 (All files have Write permissions), is this not quite safe? The normal should be the directory is 5, the file is 4, when there is a special need to set the permission to 7. If this occurs above, the modified method is to modify the Apache/nginx user and user groups, and the second is to modify the site file owner and all groups in these two directions to modify to ensure the security of the site.

Above, just the basic permission description.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.