Tuesday, 28 June 2011

Check Web-Site Permissions

I had to refresh a client's website recently; in a rather quaint way, the front-end consists of a set of static pages containing the general company info while the back-end holding the day-to-day business data is in a third party content management database.

I cheated (creatively) in creating a 'staging' area on the Linux server in which to edit and test the front-end changes which I would then promote to 'live' - which dropped me straight into a set of file permission issues. This is good, since it proves the server has a measure of security; nobody gets to read, write or execute files without the correct file permissions. Fine, as long as you know what they are and how to set them.

The first indication that file permissions are incorrect is when you upload to your server and can't see or run them. At this point, check if the permissions on your site appear to be valid. This will:
  • Check that the permissions make any sense at all, e.g. that a directory is accessible or that a script is executable
  • Check for conditions which would make the web server refuse to run a script for security reasons
  • Check for permissions which are likely to lead to security problems on your site.
If you have any kind of server management console or a decent FTP (File Transfer Protocol) program such as Filezilla (right), you should be able to see the permissions, either in the main file listing panel or by right-clicking for 'properties', 'attributes' or 'permissions' for each file. 

With luck, you get a grid-view showing permissions for read, write, execute; unless you're in an old-school environment using Unix-like permission codes of 3-digit identifiers. 

In some cases there might be a genuine need to have unusual permissions. However, lots of scripts assume an insecure environment in which all sites on a server run as the same user - such scripts will tend to want permissions like 777 and 666 which are not appropriate to a production environment. 

Permissions you will see listed include:
  • 755 This allows everyone to read and execute (or enter, for directories). Appropriate for CGI scripts and directories where you don't mind people knowing what's in there.
  • 711 Only you (and your scripts) can read the contents, but everyone can execute/enter. Appropriate for directories which the web server needs to access but you don't want everybody seeing what's in there.
  • 700 Only you/your scripts can do anything. Appropriate for directories which you don't want to be web-accessible but do use, e.g. to contain data files for your scripts.
  • 644 Allows everyone to read. Appropriate for non-script files which you intend people to access on the web, e.g. HTML, CSS.
  • 600 Only you/your scripts can read. Appropriate for script include or data files which you don't want people to access directly on the web.
You should be able to work out which permisssions to apply to server-side or administrator functions versus client-side or user functions. Remember, if in doubt, lock it down. RC

No comments:

Post a Comment

At least try to be nice, it won't kill you...