K1u Posted November 16, 2007 Posted November 16, 2007 Tutorial I wrote on my site... thought I would share it here. Just trying to contribute... sorry if it does not meet the standards. I wrote this not to long back. By K1u Commonly asked. - What are CHMOD's? To break it down basically they are rules or permissions. It stands for CHange MODe. How can I edit them? Use a FTP client to connect to your server, I suggest Filezilla. Other popular method through SSH. If they are configured badly can I get hacked? Short answer No. Long answer... lets put it like this, if you have something CHMODDED to 777, yes it is writable to the public... but they must gain access to your server to be able to write in any of these files. But... I am not saying to go out and CHMOD your whole root directory to 777... no not at all, yes you can get hacked... though this is with result of the groups not being configured properly. Well then whats the best CHMOD? 755. Now for the information. - So let me first explain what the 3 places on a CHMOD are with a diagram. Now to explain what these numbers can mean. Before I do that I will point out another way you might see CHMOD's formatted, particularly on Unix based systems when looking at file permissions. R - Read W - Write X - Execute 0 = No permissions at all. (---) - Avoid this. 1 = Only permission to execute. (--x) 2 = Only permission to write. (-w-) - Avoid this. 3 = Permissions to write and execute. (-wx) 4 = Permission to read only. (r--) 5 = Permissions to read and execute. (r-x) Good. 6 = Permissions to read and write. (rw-) 7 = Permissions to do anything. (rwx) Examples. - Bad - 777 (-rwxrwxrwx) = Anyone can Read, Write, and Execute. Good - 755 (-rwxr-xr-x) = You can do Read, Write, and Execute. Others can only Read and Execute. Bad situations. - I CHMODDED myself so I have no permissions to the file, what the heck do I do?!? Ouchies! First off why did you do that? Find a backup of the file or try to download it to your system and chmod it as root. My Web server has been attacked and my host blames my CHMOD's! Blame your host for not setting up the groups correctly! More questions! - How do I change CHMOD's on my computer? Simply - chmod value filename Example - chmod 755 priv.txt I want to change who is the owner of the file? Use the chown command. Syntax - chown [-hHLPR] [[user]] [:group] target1 [[target2 ..]] I want to change the group(s) of the file? Use the chgrp command. Syntax - chgrp group target1 [target2 ..] I am using windows what am I supposed to do? Cacls.exe (Change Access Control Lists) Links! - CHMODDING on FreeBSD - http://www.freebsd.org/cgi/man.cgi?query=chmod&sektion=1 CHMODDING on Mac OS X - http://www.hmug.org/man/1/chmod.php CHMODDING on Solaris - http://docs.sun.com/app/docs/doc/817-0689/...hmod&a=view CHMODDING on Linux - Already shown in tutorial. I hoped you enjoyed. Its 10:47PM and I loved writing this Tutorial. If you find anything wrong with it (including typos) PM me. Quote
Sparda Posted November 17, 2007 Posted November 17, 2007 You missed out the bit about the number 0 - 7 been the octol representation of the binary for the rwx permissions. So... 1 = --x becasue 001 = 1 2 = -w- becasue 010 = 2 3 = -wx becasue 011 = 3 4 = r-- becasue 100 = 4 do we see a pattern emerging? 777 = 111 111 111 = rwxrwxrwxr 755 = 111 101 101 = rwxr-xr-x Get it? Quote
K1u Posted November 17, 2007 Author Posted November 17, 2007 You missed out the bit about the number 0 - 7 been the octol representation of the binary for the rwx permissions. So... 1 = --x becasue 001 = 1 2 = -w- becasue 010 = 2 3 = -wx becasue 011 = 3 4 = r-- becasue 100 = 4 do we see a pattern emerging? 777 = 111 111 111 = rwxrwxrwxr 755 = 111 101 101 = rwxr-xr-x Get it? Thank you for adding this! Quote
SmoothCriminal Posted November 17, 2007 Posted November 17, 2007 Good contribution, only thing is you should add examples of the coding. Quote
Sparda Posted November 17, 2007 Posted November 17, 2007 Also, there is a more user friendly syntax for people who (like me) who can't remember numbers. chmod o-rwx <file> (for example) would remove every one else's permissions to do any thing to the file. Or (as is fairly common) to make a file executable by every one you can do chmod +x <file>. Quote
SomeoneE1se Posted November 17, 2007 Posted November 17, 2007 Also, there is a more user friendly syntax for people who (like me) who can't remember numbers. chmod o-rwx <file> (for example) would remove every one else's permissions to do any thing to the file. Or (as is fairly common) to make a file executable by every one you can do chmod +x <file>. the best chmod is not 755 the best chmod is the lowest number that allows you to do what you need with the file if YOU are the only one who need to read it and you don't want to change it then the best mod is 400 Quote
K1u Posted November 17, 2007 Author Posted November 17, 2007 Also, there is a more user friendly syntax for people who (like me) who can't remember numbers. chmod o-rwx <file> (for example) would remove every one else's permissions to do any thing to the file. Or (as is fairly common) to make a file executable by every one you can do chmod +x <file>. the best chmod is not 755 the best chmod is the lowest number that allows you to do what you need with the file if YOU are the only one who need to read it and you don't want to change it then the best mod is 400 Note that this tutorial is for n00bs who do not know much about chmods. 755 is usually the best (most safe) chmod to use on a webserver, 755 is usually a default chmod most of the time and me saying that is in correspondence to what I said above. If I were to say something like "the best chmod is the lowest number that allows you to do what you need with the file" then all that would cause is confusion. Good day. Quote
K1u Posted November 17, 2007 Author Posted November 17, 2007 K1u, wiki this please. Kk, http://wiki.hak5.org/wiki/All_about_CHMOD%27s Quote
Shaun Posted November 17, 2007 Posted November 17, 2007 You know chmod is just the name of the utility to change modes (which includes permissions and things like setuid), right? Permissions are not called chmods. Quote
K1u Posted November 17, 2007 Author Posted November 17, 2007 You know chmod is just the name of the utility to change modes (which includes permissions and things like setuid), right? Permissions are not called chmods. Yes you are right but usually we say "I have it chmodded to..." "I just chmod to" "my chmod for this is", so I am saying this because it is the normal tounge used. But Shaun you are correct Permissions are not called this. Quote
SomeoneE1se Posted November 17, 2007 Posted November 17, 2007 Also, there is a more user friendly syntax for people who (like me) who can't remember numbers. chmod o-rwx <file> (for example) would remove every one else's permissions to do any thing to the file. Or (as is fairly common) to make a file executable by every one you can do chmod +x <file>. the best chmod is not 755 the best chmod is the lowest number that allows you to do what you need with the file if YOU are the only one who need to read it and you don't want to change it then the best mod is 400 Note that this tutorial is for n00bs who do not know much about chmods. 755 is usually the best (most safe) chmod to use on a webserver, 755 is usually a default chmod most of the time and me saying that is in correspondence to what I said above. If I were to say something like "the best chmod is the lowest number that allows you to do what you need with the file" then all that would cause is confusion. Good day. plus people who don't understand chmod most of the time will be people running webservers and on a web server the best chmod is 644 Quote
K1u Posted November 17, 2007 Author Posted November 17, 2007 Also, there is a more user friendly syntax for people who (like me) who can't remember numbers. chmod o-rwx <file> (for example) would remove every one else's permissions to do any thing to the file. Or (as is fairly common) to make a file executable by every one you can do chmod +x <file>. the best chmod is not 755 the best chmod is the lowest number that allows you to do what you need with the file if YOU are the only one who need to read it and you don't want to change it then the best mod is 400 Note that this tutorial is for n00bs who do not know much about chmods. 755 is usually the best (most safe) chmod to use on a webserver, 755 is usually a default chmod most of the time and me saying that is in correspondence to what I said above. If I were to say something like "the best chmod is the lowest number that allows you to do what you need with the file" then all that would cause is confusion. Good day. plus people who don't understand chmod most of the time will be people running webservers and on a web server the best chmod is 644 This can be argued. I will explain... Usually a file chmodded to 644 is a file at installation, example: a forum install. After this they are most likely defaulted to 755. Why limit yourself, the owner should always have 7, and read only for groups and public is not always a smart move. Quote
SomeoneE1se Posted November 17, 2007 Posted November 17, 2007 This can be argued. I will explain... Usually a file chmodded to 644 is a file at installation, example: a forum install. After this they are most likely defaulted to 755. Why limit yourself, the owner should always have 7, and read only for groups and public is not always a smart move. best is always subjective but it's less of a security risk to have 644 444 even if you'r not going to change the file and if the the default is 755 and someone uses a upload script to upload a file to compromise your host you just allowed the attacker to run it for free Quote
K1u Posted November 17, 2007 Author Posted November 17, 2007 This can be argued. I will explain... Usually a file chmodded to 644 is a file at installation, example: a forum install. After this they are most likely defaulted to 755. Why limit yourself, the owner should always have 7, and read only for groups and public is not always a smart move. best is always subjective but it's less of a security risk to have 644 444 even if you'r not going to change the file and if the the default is 755 and someone uses a upload script to upload a file to compromise your host you just allowed the attacker to run it for free Security with user-abilities sake would be best to use 755, but yes 644 would be more secure even though it restricts the owner. Quote
Shaun Posted November 19, 2007 Posted November 19, 2007 Mmm, why me? That sounds like something someone who wasn't incredibly lazy would do. I do agree with SomeoneE1se though, something doesn't really need the execute bit set unless it's actually an executable or a directory. In case of web servers it would mostly be directories and stuff in cgi-bin which would need it. Stuff like .php files don't need it since they are parsed by the webserver, not executed like CGI script/programs. Quote
cooper Posted November 19, 2007 Posted November 19, 2007 Well then whats the best CHMOD? 755 There is no 1-size-fits-all. Understand what you're doing, or don't muck around with it on something you value. The best CHMOD is the one that gives the minimum required set of rights. Anything over that is unneccessary and should be avoided. I CHMODDED myself so I have no permissions to the file, what the heck do I do?!? Ouchies! First off why did you do that? Find a backup of the file or try to download it to your system and chmod it as root. Um... What? How the hell do you chmod 'yourself'? And if you give a file the wrong permissions, rerun chmod to give it the right permissions. Why put back a backup of a file after changing the mode bits? If you can replace the file, you can change the mode bits. If you need to be root (don't see how given your webserver scenario, but let's assume) just become root and change the bits. I don't see where the need for a backup comes in. My Web server has been attacked and my host blames my CHMOD's! Blame your host for not setting up the groups correctly! Or apply a brick to your face repeatedly for changing them yourself without being aware of what you were doing. Quote
cmh0101 Posted November 19, 2007 Posted November 19, 2007 This can be argued. I will explain... Usually a file chmodded to 644 is a file at installation, example: a forum install. After this they are most likely defaulted to 755. Why limit yourself, the owner should always have 7, and read only for groups and public is not always a smart move. I know RHEL(at least version 5) does not allow you to configure umask to allow executable premissions on new files. They strictly do this for security reasons, which is deffiantly a must in a corporate environment. If fewer files are executable then their will be less likely a chance of someone being able to exploit your system. Now whether you choose to give new files the excute permission with chmod command is obviously entirely up to the views of the user. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.