What should the Unix file system permissions be for PHP files under Apache?

php permissions files

11,911

Solution 1

PHP scripts should be editable by the owner, readable by a group the apache user is in, and optionally readable by anyone. They don't need to be executable. Ideally, most of the php scripts should be outside of a web-accessible folder, especially any configuration files. This way even if there is a problem with the apache configuration, your php files will never be exposed to the web. Often you'll just have an index.php page which calls require_once() on a script in the protected directory outside the web-accessible folder. A .htaccess file rewrites all incoming requests so that they go through the index.php, which then uses the router in the protected directory to figure out what to serve.

Solution 2

You may be confusing the roles of PHP and the file system. PHP does not have read, write, or executable permissions. Those are handled by the underlying filesystem (ext4, NTFS, etc).

You can use PHP functions such as is_writable() and is_readable() to determine the permissions of a given file, and chmod() to change them.

Solution 3

Basically most functions / methods attempting to write to a file in PHP should have an idea like this:

function writeSomething( $file )
{
    if ( !is_writable( $file ) )
    {
        // attempt to make it writable
        if ( !chmod($file, 0777) )
        {
            // could not make file writable
            // log the error....
            return false;
        }
    }

    // perform the writing here..
}

Is a good idea to make sure that you can access the file before attempting to do it because it's always better to show the user a custom error like "There was a problem" than showing a classic PHP error like "Unable to write to file..." or something...

Hope I can help!

Solution 4

755 for folders and 644 for php and other files.

View more solutions

11,911

Kirk Strobeck

Updated on September 18, 2022

Comments

Kirk Strobeck over 1 year

What is the best practice for permissions with PHP files? When should they be writable, or executable? What owner is best?

I'm using an Apache server.
- Admin almost 13 years
  
  Are you talking about the file permissions of the web server (eg: apache)?
- Kirk Strobeck almost 13 years
  
  great, thnx for the tip
- Lekensteyn almost 13 years
  
  You need to provide more details, how are you uploading your files? (SSH/SFTP, FTP, controlpanel?, ...) You mentioned ownership, do you have root access to the box? What user is Apache running? If possible, what distro are you using? See also webmasters.stackexchange.com/q/13658/6597
- Admin almost 8 years
  
  Also see What permissions should my website files/folders have on a Linux webserver? on Serverfault.
feeela almost 13 years

Here again: Why should any (PHP-)file be executable? Also - if the files are owned by Apache, you will have problems to change anything via FTP or SVN if you haven't root access. Better to use a user-group, which includes the Apache (on most webspace-accounts i saw it was www-data).
Kirk Strobeck almost 13 years

I like this answer but could you expand with some ie. 0777, 755, 655 kind of numbers, I need to know how to actually set the files
Kristian Damian almost 13 years

@Kirk Strobeck: editable (read/write) by the owner, readable by a group, and readable by anyone = 644
Bob Baddeley almost 13 years

as Marco said, permissions go in order of owner, group, anyone, where read is 4, write is 2, execute is 1, and you add them together. So if you want something read only, it would be 4. If you want read and write, it's 6 (4+2), and if you want all permissions, it's 7 (4+2+1). Most php files will have 644 because the owner has to be able to edit it, everyone needs to be able to read it, and nobody needs to execute it (in the strictly unix sense. php is the executable and it's reading the files, parsing them, and doing stuff with them, so unix isn't actually executing them).
Bob Baddeley almost 13 years

also, the 0 at the beginning is optional and useless. It's just saying the number is octal, but since permissions never go above 7, it's pointless to specify.
Stephen Ostermiller about 9 years

This is similar to advice given in other answers. Can you explain what makes your answer more correct, link to documentation, and explain how to set permissions?
heximal almost 9 years

it's still not clear how to deal with php upload routines? if we have 644 permissions for files and 755 for directories, php won't be able to write to project directory. if we set 775 permission for folder, httpd will be able to write, but the files it creates will have httpd owner and it will be impossible to modify them using regular user account.
Admin almost 8 years

Why does Other have read on files and read+execute on folders (0644 and 0755)? Shouldn't entitlements be limited to User and Groups for a web server on Linux? What benefit does it provide? What risk does it expose?
Admin almost 8 years

Why does Other have read on files and read+execute on folders (0644 and 0755)? Shouldn't entitlements be limited to User and Groups for a web server on Linux? And why are you allowing anyone to read configuration files (0444)? What benefit does it provide? What risk does it expose?