The command $ ls -l, for example, can return a list of the type
total 24
drwxrwxr-x 2 diego diego 4096 feb 2 11:16 logs
drwxrwxr-x 2 diego diego 4096 feb 5 13:42 __pycache__
-rw-rw-r-- 1 diego diego 185 feb 5 13:40 app.py
drwxrwxr-x 2 diego diego 4096 feb 5 13:34 templates
drwxrwxr-x 6 diego diego 4096 feb 2 10:55 venv
-rw-rw-r-- 1 diego diego 64 feb 5 13:41 wsgi.py
A good way to understand the first column and permissions is to think that each letter has an integer value of the form
r = 4 # read permission
w = 2 # write permission
x = 1 # list directories permission
So, a permission in the form of drwxrwxr-x 2 can be seen as the groups of permissions for 3 different groups (User, Group, Everyone Else)
d|rwx|rwx|r-x|2 = d|(4+2+1)|(4+2+1)|(4+1)|2
Here,
dmeans that the file is a directory.-means that it is a regular filerwx(7) is the value for theUserpermissions. User can read, write, and list files from this directory- Same thing is for the
Grouppermissions - However, every other user does not have write permission, since the
wis missing (or sum is 5) 2is the amount of hard links this file has. An explanation of hard links can be read here. See the differences with soft links in here
An example of a common permission granted with chmod is 755 or rwxr-xr-x. Here,
- User has complete control of the file
- Groups can read and execute without modification
- Everyone else can read and execute without modification.
Note that in production environments chmod should be as restrictive as possible, and as per this SO post
777 is a bad permission in general and I'll show you why.Despite how it may look in a Casino or Las Vegas, 777 doesn't mean jackpot for you. Rather, jackpot for anyone who wishes to modify your files. 777 (and its ugly cousin 666) allow Read and Write permissions (and in the case of 777, Execute) to other. You can learn more about how file permissions work, but in short there are three groups of permissions: owner, group, and other. By setting the permission to 6 or 7 (rw- or rwx) for other you give any user the ability to edit and manipulate those files and folders. Typically, as you can imagine, this is bad for security.
Here's my example:
marco@desktop:~/Projects/AskUbuntu/20105$ cd .. marco@desktop:~/Projects/AskUbuntu$ chmod 0777 20105 marco@desktop:~/Projects/AskUbuntu$ cd 20105/ marco@desktop:~/Projects/AskUbuntu/20105$ ls -lah total 8.0K drwxrwxrwx 2 marco marco 4.0K 2011-01-04 20:32 . drwxr-xr-x 3 marco marco 4.0K 2011-01-04 20:32 .. marco@desktop:~/Projects/AskUbuntu/20105$ touch test marco@desktop:~/Projects/AskUbuntu/20105$ chmod 0666 testSo far I have created a folder and made a file with "bad" permissions (777 and 666). Now I'll switch into another user and try to manipulate those files.
marco@desktop:~/Projects/AskUbuntu/20105$ sudo su - malicious malicious@desktop:~$ cd /home/marco/Projects/AskUbuntu/20105 malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ ls test malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ ls -lah total 8.0K drwxrwxrwx 2 marco marco 4.0K 2011-01-04 20:33 . drwxr-xr-x 3 marco marco 4.0K 2011-01-04 20:32 .. -rw-rw-rw- 1 marco marco 0 2011-01-04 20:33 test malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ touch bad malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ echo "OVERWRITE" > test malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ cat test OVERWRITEAs this "malicious" user I was able to place files into the directory and inject text into already existent files. Whereas below, in a directory with 755 and files with 644, I am able to see inside files and directories but I can not edit the files nor create new ones:
malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ cd /home/marco/Projects malicious@desktop:/home/marco/Projects$ touch hey touch: cannot touch `hey': Permission deniedFor Apache permissions, you're going to want to stick to 0755 and 0644 (AKA umask 022) for folders and files respectively. This allows you, as the owner of the files, to edit and manipulate them while giving Apache the bare minimum levels of access needed to operate.