适用于PHP Web应用程序的Chmod [英] Chmod for PHP web application

问题描述

我正在编写Web应用程序.它有:

Im writing web application. It's have:

• index.php
• /app-当然是.htaccess，但我没有谈论它
• /app/session-对于会话，必须在我的服务器上使用session_save_path(/app/session)
• /app/include-index.php包含此目录中的文件
• /app/config-仅.xml文件，该文件从include中的脚本读取类
• /图像，/样式等

我的问题是:
以上目录的正确chmod设置是什么?我知道什么是chmod(可以在Linux上运行)，并且知道如何更改它，但是我找不到关于它的有用信息.只有诸如我如何将chmod更改为777 ...

My question is:
What is correct chmod settings for above directories? I know what is chmod (im working on Linux) and I know how I can change it, but I can't find useful informations about that. Only articles like "How i can change chmod to 777...

我不知道谁是所有者，集团和其他人.我的页面将位于共享的Web服务器上，所以我认为所有者是apache，而组是www-data，对吗?

And I don't know who is owner, group and others. My page will be on shared web server, so I think owner is apache, and group is www-data, correct?

请告诉我，哪些chmod必须具有目录(和文件?我正在使用-R将chmod转换为文件)来保护网站.主要是涉及任何脚本入侵的可能性.

Please, tell me what chmod's must have directories (and files? I'm using -R for chmod to files) for safe website. Mainly it comes to the possibility of intrusion by any script.

推荐答案

Wordpress有不错的文章说明UNIX文件权限.阅读它，您将掌握它的基础知识.简而言之(理论上并不正确):

Wordpress has a nice article explaining unix file permissions. Read it and you'll grasp the basics of it. In short (and not theoratically correct):

Unix系统指定3个不同的角色":用户，组和世界.尤其是世界"似乎使人们感到困惑.

Unix systems designate 3 different 'roles': the user, the group and the world. Especially 'the world' seems to confuse people.

每个文件AND目录(都是节点，因此在Linux系统中没有区别)都分配给一个用户和一个组.您可以将用户和组视为特定文件/目录的所有者"(我将进一步讨论节点"，因为这并不重要).文件权限定义了谁可以对节点执行操作.给出示例:

Every file AND directory (which are both nodes and as such not that different in Linux systems) is assigned to a user and a group. You can see the user and group as 'owners' of the specific file/directory (I'll talk about 'nodes' further on, because it doesn't really matter). File permissions define who can do what with the nodes. Example given:

文件index.php被分配给用户'aso'和组'www-data'，并具有文件许可权模式644.这意味着用户(6)具有读和写许可权，该组仅具有读许可权( 4)，世界"(三个数字的最后4个)也是如此.

The file index.php is assigned to user 'aso' and group 'www-data' and has file permission modus 644. This means that the user (6) has read and write permissions, the group has merely read permissions (4), as is 'the world' (the last 4 of the three digits).

现在，您首先必须了解* nix系统上的每个用户都是组的一部分.群组名称有时与用户名称相同，但群组是另一个实体".因此，您可能有一个用户以及一个名为"aso"的组.

Now first you have to understand that EVERY user on a *nix system is part of a group. The group name is sometimes the same as the user name, but A GROUP IS ANOTHER ENTITY. So it is possible that you have a user as well as a group named 'aso'.

文件权限是通过位掩码"构建的，如下所示:读取权限由数字4指定，由2写入，由1执行.可以由此进行任何组合.在示例中，写入和执行许可权指定为3(写入= 2，执行= 1)，读取和执行许可权指定为5(读取= 4，执行= 1).

File permssions are build from a 'bitmask' as follows: read permissions are designated by the digit 4, write by 2, and execute by 1. Any combination can be made from this. In example write and execute permissions are designated with 3 (write = 2, execute = 1), and read and execute permissions are designated with 5 (read = 4, execute = 1).

让我们看看这意味着什么，我必须公平地说我在这件事上并不完整.如果您想要完整的故事，请使用Google.

Let's see what this means, and I have to be as fair as to say that I cannot be complete in this matter. Please use Google if you want a complete story.

如果我在* nix系统上创建了一个文件，该文件将自动分配给我(我的用户)以及该用户所属的组.拥有权限644意味着我(使用我自己的用户登录)可以读取文件并可以对其进行更改(写入).但是我没有执行(x)权限.但这并不重要，因为这仅适用于可执行脚本(shell脚本，大多数情况下带有.sh扩展名).该文件所属的组("www-data")仅具有读取权限，因此无法更改该文件. 世界"也只有读取权限.

If I create a file on my *nix system it is automatically assigned to me (my user) and the group my user is part of. Having the permissions 644 this means that I (logged in with my own user) can read the file and can alter (write) it. But I do not have the execute (x) permissions. It doesn't matter however because this only applies to executable scripts (shell scripts, most of the times with a .sh extension). The group the file belongs to ('www-data') only has read permissions, so cannot alter the file. The 'world' also only has read permissions.

请注意，用户可以是多个组的一部分，因此* nix文件权限具有有限的范围:您可能希望将写权限分配给组1，而只将读取权限分配给组2.在传统文件系统中这是不可能的.但是，像reiserFS和Ext3这样的文件系统可以使用扩展的ACL来完成类似的工作.但是那是另一个故事.

Please note that a user can be part of multiple groups, and as such *nix file permissions have a limited scope: you might want to assign write permissions to group 1, and only read permissions to group 2. In traditional file systems this is not possible. However file systems like reiserFS and Ext3 may use an extended ACL to accomplish stuff like that. That's another story however.

这一切意味着什么?只要您了解分配的权限的含义以及文件节点和目录节点之间的区别，那么实际上比预期的要容易得多.

What does this all means? It's more easy then expected actually, as long as you understand what the assigned rights mean and what is the difference between a file node and a directory node.

文件

• 读取:能够读取其内容
• 写入:能够更改(写入和删除)其内容
• 执行:能够执行文件(执行脚本，可能会产生所有后果)

目录

• 读取:能够读取其内容.这意味着:列出节点名称，但不列出节点的内容，类型等.
• 写入:能够添加/删除文件
• 执行:能够列出其内容，包括类型，上次修改日期等.

回到您的情况.如果您具有常规设置(运行Apache和PHP作为模块的Linux服务器)，则文件将分配给ftp用户和组"www-data"(运行Apache的组).您自己需要读和写权限(有时您需要更改文件)，但不需要执行权限(因为PHP(或HTML)不是可执行文件).因此，对于用户而言，您需要6(读= 4，写= 2，合计为6).对于组用户，您仅需要读取权限，因为Apache(或PHP模块)仅需要读取php脚本的内容.系统上的任何其他用户都与您的文件无关，因此不需要所有权限(0).

Back to your case. If you have a normal setup (a Linux server running Apache and PHP as a module) your files will be assigned to your ftp user and the group 'www-data' (the group Apache is running from). You yourself need read AND write permissions (as sometimes you want to change a file), but DO NOT NEED execute permissions (as PHP - or HTML for that matter - are not executables). So for the user, you'd need a 6 (read = 4, write = 2, combined makes 6). For the group user you only need read permissions, as Apache (or the PHP module) only need to read the contents of your php script. Any other user on the system has nothing to do with your files, and as such need no permissions as all (0).

因此，对于您的所有脚本，权限为640(对用户具有读写权限，对组具有读取权限，对世界"而言则没有权限).

So, for ALL your scripts, permissions of 640 (read and write for the user, read for the group and none for 'the world') are sufficient.

对于目录，您的用户需要所有权限(读= 4，写= 2，执行= 1，共7).为什么?因为它需要读取其内容(节点名称)，所以必须能够确定它是文件节点还是目录节点(以及其他属性)，并且必须能够添加和删除文件(有时要添加文件，请不要这样做).你吗?).因此，我们将为您的用户提供7.

For the directories your user needs all permissions (read = 4, write = 2, execute = 1, 7 in total). Why? Because it needs to read it's contents (node names), has to be able to determine if it's a file or directory node (and other properties) AND has to be able to add and delete files (you want to add files sometimes, don't you?). So we'll giver your user a 7.

但是该组("www-data"，Apache正在运行的组)仅需要读取和执行权限.具有列出内容(节点名称)的读取权限，具有列出其他属性(节点类型，修改时间等)的执行权限.不过，它不需要写入权限，因为通常您不希望PHP(Apache)从应用程序树中添加/删除文件.

The group however ('www-data', the group Apache is running from) only need read and execute permissions. The read permissions to list the contents (node names) and the execute permissins to list other properties (node type, modification time etc.). It doesn't need write permissions though, because normally you don't want PHP (Apache) to add/delete files from your application tree.

最后，世界"(即系统上的每个其他用户)(从广义上讲与世界都不相同)不需要任何权限.为什么服务器上的其他任何人都需要访问您的文件?

Lastly the 'world', which is every other user on the system (that's NOT the same as the world in it's broadest sense) doesn't need any permissions. Why would anyone else on the server need access to your files?

合并后将产生750个权限(该用户的所有权限，该组的读取和执行权限，其他用户则没有权限).

Combined that would make 750 (all permissions for the user, read and execute for the group, none for others).

您问题的概括答案，最低要求是:

Summarized answer to your question, the bare minimum is:

• 文件权限:640
• 目录权限:750

但是总是很好，很标准并且足够安全:

But always good, quite standard and secure enough:

• 文件权限:644
• 目录权限:755

这篇关于适用于PHP Web应用程序的Chmod的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！