Manage file permissions on Pages

On this page:


Overview

As a Pages user, you are responsible for maintaining the security of your directories on the Pages server. This responsibility includes ensuring that none of your directories are world-writable, and that directories used for file uploads do not give executable permissions to anyone. To check and edit your directory and file permissions, follow the instructions below.

Check existing permissions

To check your file permissions when connected to the Pages server with SSH, use the ls (list) command. To view a list of all the contents in a directory and their permissions, including any hidden files, change to the directory, and then enter ls -la. You should see output similar to the following:

drwxr--r--  2 user1 pages-users 4096 Feb  1 10:38 ExampleDirectory
-rw-r--r--  1 user1 pages-users   12 Sep  9 09:28 myFile.txt

From left to right, the output can be simplified to "permission structure", "links to the file or directory", "individual owner of the file or directory", "group owner of the file or directory", "size of the file or directory in bytes", "last edit date for the file or directory", and "name of the file or directory".

In the permission structure, the first character indicates the file type. In the example above, d stands for directory, and - indicates a regular file. Following that are nine characters, which are best understood as three groups of three. The first group of three characters indicates the permissions of the individual owner for that file or directory, the second group of characters are for the group owner, and the third group of characters is for all other users ("other (world)"):

  • r grants permission to read the file content.
  • w grants permission to write (edit) the file content.
  • x grants permission to execute the file.
  • - indicates that no permissions have been granted.

On the Pages server, you will generally want the permission structure to be rw-r--r-- or rwxr--r--. These permissions allow the individual owner to read and write to the content, while only allowing the group owner and all others to read the content. Optionally, the individual owner may need executable permissions to run a file as a script. The "other (world)" group in the permission structure needs to have at least read permissions for the file to display in a browser.

Setting a directory to be world-writable, where the last group in the permission structure has a w listed, is a security vulnerability and violates the Pages Service Agreement.

Change permissions for a file or directory

To change the permissions for a file or directory, use the chmod (change mode) command. You can change permissions to make content executable and to remove write permissions for the "other (world)" group.

To set permissions to rw-r--r--, enter the command chmod 644 filename. To apply this permission set recursively to all files in a directory, instead use chmod -R 644 directory_name. To give the individual owner permission to execute a file (that is, to set permissions to rwxr--r--), use chmod 744 filename.

Remember that no file or directory on Pages should have w permission for "other (world)". Also, if your site has a way for visitors to upload files, the directory for uploads should not have x permission for anyone.

For more information on Unix file permissions, see Manage file permissions on Unix-like systems.

This is document bgsz in the Knowledge Base.
Last modified on 2023-07-18 11:23:20.