ARCHIVED: Guidelines for file and directory permission settings on Webserve

Following are guidelines for proper file and directory permissions on Webserve.

1. Protect the top-level directory (/ip/) account for all access to owner and execute only to group and others.
2. Set normally hidden common dot (.) files and directories in the login directory (for example, .ssh, .ssh2, .login, .profile, .cshrc, .bash_history, .bashrc) to all access to owner and no access to group and others.
3. Generally, you should set all other non-dot directories (for example, bin) to all access to owner and no access to group and other.
4. In most cases, you should protect all other non-dot files in the login directory for all access to owner and no access to group and other.
5. Generally, you should protect all executable file in the entire account directory for all access to owner and no access to group or other.

   In the www and wwws directories, the ~account feature of the web server will ensure that the executable file executes as the account name.

6. If the account is a member of the Unix "ip" group, all files in the entire /ip/ account directory tree should have their owner set to the account name and the group set to ip.
7. Set the www and wwws (if present) directories to all access to owner and execute only to group and other.

To check your account for files/directories with improper permission settings, run the check_file_security script:

1. Log into your account using an SSH secure shell client such as PuTTY.
2. Type the following command:

     /usr/local/bin/check_file_security

3. When prompted with the question, "Do you want to continue and run the report? (y/n)", type y.
4. The result will be written to a file named account-check-file-security-report.txt, located in the login directory.

For more about changing file/directory permissions, see Manage file permissions on Unix-like systems.