suPHP Requires 755 Permissions

[mbwmbw]

Hi All,

I am having trouble with suPHP. Realistically it should only require 700 permissions since it runs as the user; however, I know .htaccess are read by the Litespeed application itself, and not the suPHP process.

Here's the folder structure.
/home/user/public_html user / nobody (700)
/home/user/public_html/support user/user (700)
/home/user/public_html/support/.htaccess user/user 755

However, LiteSpeed still has issues reading the .htaccess file unless the folder containing it and all files in it are 755 permission.

Why does suPHP require 755 permission to run? I also noticed any static cache items such as .txt require 755 or they will not open.

I am running cPanel/WHM.

What is the least permissions I can use on the folders and files? I also tried just setting the .htaccess to 755 but it required the containing folder to be 755 as well...

Regards,

Michael

 

[NiteWave]

/home/user/public_html user / nobody (700)
/home/user/public_html/support user/user (700)
/home/user/public_html/support/.htaccess user/user 755

on a WHM/cPanel, it should be
/home/user/public_html user / nobody (750)
/home/user/public_html/support user/user (755)
/home/user/public_html/support/.htaccess user/user 750

so except home /home/user/public_html, all sub folders should have 755 permission, all files need 750 permission only instead of 755

 

[mbwmbw]

Thank you for the quick reply! Good to know!

What's the point of using suPHP then if all files need 755 permission instead of 700? Isn't the goal of suPHP to limit the need for such extensive permissions?

Michael

 

[NiteWave]

on a WHM/cPanel, it should be
/home/user/public_html user / nobody (750)

this is a must and WHM/cPanel has formal document about it. you can ignore other suggestions in my 1st reply.

considering static files, like image/js/css, are served by web server which usually run as nobody, you must let nobody user to read these files, so
1) if static files directly under /home/user/public_html, the minimal permission should be 640
2) if static files under /home/user/public_html/subfolder, the minimal file permission is 604
it's complex for file permission to have 2 choices (php script may move generated static files between folders), so all files keep 644 should be safe and convenient.

for .php files, the minimal file permission is 600.(if you don't want a .php being overwritten by user / user, then it could be 400)

 

[mbwmbw]

Hi,

*** EDITED POST ***

You are correct regarding cPanel. I've set all Folders to 755 and files to 644. This has worked perfectly and locked down the files.

find * -type d -print0 | xargs -0 chmod 0755 # for directories
find . -type f -print0 | xargs -0 chmod 0644 # for files

Important Question: From a security perspective is it better to change all subfolders/files to have a group of NOBODY so that the permissions for "ALL USERS" can be set to none?

Realistically this doesn't matter much for us because we use CageFS but I am more of a semantic arguer.

Thanks again for your help.

Michael

 

[NiteWave]

so that the permissions for "ALL USERS" can be set to none?

there are many existing control panels, WHM/cPanel is the biggest one. each control panel may have different styles regarding file/directory permissions. you can also not to use any control panel, and defines a set of rules regarding file/directory ownership / permission. in other words, there is no unique answer regarding this question.

just as example of cPanel. they may have other reasons why prefer 755 instead of 750. You may ask them the detail reasons or most likely the answer already there in their formal document.

cPanel's way

/home/user/public_html user / nobody (750)

is smart. so other users ( i.e., all users except user and nobody) can't enter directory /home/user/public_html, this prevent other users read/write/execute any files under /home/user/public_html tree. cPanel only set and monitor 1 directory's owner / permission, this is much easier to manage.