Monday, November 23, 2009

chmod and chown 777

SkyHi @ Monday, November 23, 2009
There is no "CHOWN 777". CHOWN is "change owner".

CHOWN new-owner filename changes the ownership of a file to another user of the file system (in this case either yourself or apache), and this command is only available to your server's admins. So, they essentially offered you to change the owner of the files to yourself or to apache. Your options are:

(a) If the owner of drupal's files directory is apache. then the directory can be set to 755 and apache still can read it (because if apache owns it then apache is the first digit of 755).

So, no need for 777, and the other users of your server (or even you) won't be able to write to this directory directly (only through a php script like Drupal, because php scripts write as user apache).

The downside is inconvenience: you won't be able to write into this 755 directory yourself, or to delete it, or to chmod it, except if you do it through a php script or if you ask your host to do what you want every time.

(b) If the owner is yourself you have full control of the file to do whatever you want, but then apache can write only if you CHMOD it to 777.

Your choice. I would take (b).

Although rusty has clarified all the tech things related to chown and chmod, let me put additional help - if it is.

First, you need to to know what chown is and what chmod is (perhaps you already know it as well)

chown, in simple words relates to "Who owns the file / directory etc." i.e. CHange OWNership ... right

chmod, on the other hand refers to "Who all can do what all things" - i.e. what owner can do, what his associates (in the group) can do and finally, what all everybody else can do...

Right... Now, what happens is this - You say that you own the file, directory etc... Correct, you surely do. However when the program runs, (the web server executes / parses the drupal or any other script) , the important point to note is - that it is not YOU who is doing the operations (reading / writing etc.) it the the web server (maybe Apache) ... so here is the difference. The files appears to be owned by you, (and they are) but they need to WORKED upon by someone else (apache) who is neither you, nor your group member. The necessary condition (usually) is that WEB SERVER NEEDS TO WRITE, - it's up to you to decide how you permit it.

So, what is the solution? Either you make those directories / files owned by Apache (not you) with your own rights limited to what would be the rights of the world (all users) - i.e. all other users including yourself have a limited right of viewing . chown to web server user name

Or the other alternative is, let yourself be the owner and allow all users do anything (that includes web server too) - chmod 777

Thus, there is nothing like chown 777 (unless 777 refers to user id ;)

So, either of these would let web server write to those directories, where it wants to. The dilemma has to be solved by you - the first approach is a bit more secure but perhaps less inconvenient (you may not create files, yourself for any reason, whatever it may be) and the second solution is more convenient, allowing complete freedom to all, albeit with security risk.

If the writable directory contains, temp file and not very vulnerable data, perhaps I'd go with second option (at least for the initial period)