ARCHIVED: Guidelines for file and directory permission settings on Webserve
This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.
Following are guidelines for proper file and directory permissions on Webserve.
Important:
From the
/ip/
account all the way down, no file or directory is
permitted to be group or other "writable". There should be no
exceptions.
- Protect the top-level directory (
/ip/
) account for all access to owner and execute only to group and others. - Set normally hidden common dot (.) files and directories in
the login directory (for example,
.ssh
,.ssh2
,.login
,.profile
,.cshrc
,.bash_history
,.bashrc
) to all access to owner and no access to group and others. - Generally, you should set all other non-dot directories
(for example,
bin
) to all access to owner and no access to group and other. - In most cases, you should protect all other non-dot files in the login directory for all access to owner and no access to group and other.
- Generally, you should protect all executable file in the entire
account directory for all access to owner and no access to group or
other.
In the
www
andwwws
directories, the ~account feature of the web server will ensure that the executable file executes as the account name. - If the account is a member of the Unix "ip" group, all files
in the entire
/ip/
account directory tree should have their owner set to the account name and the group set toip
. - Set the
www
andwwws
(if present) directories to all access to owner and execute only to group and other.
To check your account for files/directories with improper permission
settings, run the check_file_security
script:
- Log into your account using an SSH secure shell client such as PuTTY.
- Type the following command:
/usr/local/bin/check_file_security
- When prompted with the question, "Do you want to continue and
run the report? (y/n)", type
y
. - The result will be written to a file named
account-check-file-security-report.txt
, located in the login directory.
For more about changing file/directory permissions, see Manage file permissions on Unix-like systems.
This is document bfrx in the Knowledge Base.
Last modified on 2021-09-08 10:19:06.