Guidelines for file and directory permission settings on Webserve

Important:
On Webserve, PHP 7.1 will become the default version in spring 2018; however, PHP 5.6 will still be available until it is retired at the end of December 2018. For help specifying which version of PHP to use, see PHP server-side scripting language.

Following are guidelines for proper file and directory permissions on Webserve.

Important:
From the /ip/ account all the way down, no file or directory is permitted to be group or other "writable". There should be no exceptions.
  1. Protect the top-level directory (/ip/) account for all access to owner and execute only to group and others.
  2. Set normally hidden common dot (.) files and directories in the login directory (e.g., .ssh, .ssh2, .login, .profile, .cshrc, .bash_history, .bashrc) to all access to owner and no access to group and others.
  3. Generally, you should set all other non-dot directories (e.g., bin) to all access to owner and no access to group and other.
  4. In most cases, you should protect all other non-dot files in the login directory for all access to owner and no access to group and other.
  5. Generally, you should protect all executable file in the entire account directory for all access to owner and no access to group or other.

    In the www and wwws directories, the ~account feature of the web server will ensure that the executable file executes as the account name.

  6. If the account is a member of the the Unix "ip" group, all files in the entire /ip/ account directory tree should have their owner set to the account name and the group set to ip.
  7. Set the www and wwws (if present) directories to all access to owner and execute only to group and other.

To check your account for files/directories with improper permission settings, run the check_file_security script:

  1. Log into your account using an SSH secure shell client such as PuTTY.
  2. Type the following command:
      /usr/local/bin/check_file_security
  3. When prompted with the question, "Do you want to continue and run the report? (y/n)", type y.
  4. The result will be written to a file named account-check-file-security-report.txt, located in the login directory.

For more about changing file/directory permissions, see In Unix, how do I change the permissions for a file?

This is document bfrx in the Knowledge Base.
Last modified on 2017-05-16 11:42:16.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.