Under Linux, Web directories and file permissions must consider the security of the system as a whole. In general, for the directory, you need to set R (read) and X (execute) permissions, and some directories also need W (write permission), for files, need R (read), some files require w (write) permissions or X (execute) permissions.
In a Linux system, the default RWX permission to create a file or directory is set by using command Umask, and the system defaults to the Umask setting of 022, which computes the equivalent of a file, directory permission mask, such as the directory permissions created at this time 755 (rwxr-xr-x), The Umask permission is equivalent to 777 mask 022, and the file permissions created at this time are 644 (rw-r–r–), whose umask permissions are equivalent to 666 mask 022.
Of course, such permission settings are not safe, different users on the same server (may or may not have different user groups)/virtual host users can spy on each other's source code, the Umask value must be modified more stringent, so that in addition to root permissions, can not randomly spy on other people's source code, Database information, and so on.
The setting method is to remove the R (Read) permission from the user group and other user groups. By setting the directory permissions to 500 (Read + execute) While the file permission is 400 (read), the umask should be set to 277, set directory permissions to 700 (read + Write + Execute) with file permissions of 500 ( Read + execute), at which point the umask should be set to 177.
For example, for the latter, we can use the command umask 177 to set the default directory, file creation permissions under the current dialog, and if you want to permanently set, modify the/root/.bash_profile and all users ' home records of the. bash_profile file, which Umask 022 changed to Umask 177.
As can be seen from the above, if you want to set a more secure directory, file permissions, several basic principles are:
1. Minimize the number of writable directories under the Web path.
2, file write and Execute permissions can only choose one, to avoid both write and execute permissions.
Linux files have four kinds of access rights: readable (R), writable (W), executable (x), and no permissions (-).
Enter the LS-L command in the terminal to view the permissions of a file or directory under the current directory, and the first field for each row of data is the content of its permission. The first field consists of 10 characters, such as:
The first digit represents the file type,-represents a file, D represents a directory, and each of the following three-bit characters represents the permissions of three different user groups.
2-4-bit permissions that represent the owner of the file, that is, U (USESR) permissions
5-7-bit permissions that represent the group members to which the file owner belongs, G (Group)
8-10-bit indicates the permissions of a user other than the group to which the owner belongs, O (others) permission
A 2-10-bit permission sum is sometimes called a (all) permission
The above field indicates that this is a file (not a directory), and that the file owner has read, write, and execute permissions.
A user who is a member of the group owned by the owner and who owns the group has read and Execute permissions without write permissions.
R, W, and X can also be represented by 4, 2, and then 0 without permission, which is more convenient when modifying permissions.
Linux to modify file permissions with the chmod command.
There are two uses of the chmod command. One is an expression that contains letters and operators, that is, a text-setting method, and the other is a numeric setting that contains numbers.
1. Text Setting method
chmod(who)(+ | - | =)(mode) file name
The Who can be any of the above mentioned U, G, O, a or their combination. The operator + 、-、 = Adds a permission, cancels a permission, gives a given permission, and cancels all other permissions (if any).
Mood is any combination of R, W, and X.
chmod g+r,o+r FileName
Represents the ability to add read permissions to file filename to the same group and other users.
2. The principle of digital setting is relatively simple
Chmod(mode) file name
Regardless of what permissions to add, but can directly set what permissions, where the mood is a three-digit, each digit can be 1 to 7 of any one, representing the corresponding user type of permissions, such as:
chmod 777 FileName
This means that all users have all the permissions of filename, which is very dangerous. Modify permissions in Linux to use Administrator privileges, such as sudo or switch to the root account in Ubuntu.
Chmod can also be followed by parameters, mainly---R (to modify the directory to use)-V (Display operation).
Chmod-r 755 dirname
To modify the permissions of all files and directories under DirName to 755, is a recursive operation of the directory.
"Syntax" chmod [options] [parameters]
The "detailed" chmod command is used to change the permissions of a file or directory, and the setting of permissions has two sets of characters and numbers.
In the number setting method, 0 means no permissions, 1 for executable permissions, 2 for writable permission, 4 for Read permission, and the above number to add the most final permissions. If writable can be read as 6, executable and readable as 5 permissions.
In the English setting method, R denotes a read permission, W indicates a writable permission, and X represents an executable permission,--Indicates no permissions.
Option description "
||Operation object abbreviation, user username, owner of file or directory.
||Operation object abbreviation, same group of users, file or directory-owned group
||Operation object abbreviation, other user others
||Operation object abbreviation, all users all, the system uses this by default
||Permission operators, adding certain permissions
||Permission operators, canceling certain permissions
||Permission operators, setting permissions for a file to a given permission
||Permission setting (in English), which means Read permission
||Permission setting (in English), which indicates writable permissions
||Permission settings (in English), which means executable permissions
||Permission settings (English characters), indicating no permissions
||Permission setting, if the target file is an executable file or directory, you can set executable permissions for it
||Permission settings, set permissions suid and Sgid, use the right combination "U+s" set the user ID bit of the file, "G+s" set group ID bit
||Permission settings, only the directory or the owner of the file can delete files under the directory
||If file permissions have changed, display their action information
||No error messages are displayed during the operation
||Modify permissions for all files or subdirectories under the specified directory
||To display the detailed execution of a command at run time
||Display Help information
||Display version Information
||Specifies the name of the file or directory for which permissions are changed.
Set all files and folders in the/home/wwwroot/to 755 permissions
(1) Directly Specify path modification
(2) Manually enter the directory to modify permissions (and show detailed procedures)
CHMOD-RV 755 * #注意: "*" means wildcard characters, refers to all files and files