Thread Starter
eddie
(@eddie)
Hi,
Please, would you explain what would be the effect of that? I understand that chmod changes the mode, -R means recursively, but after reading the man page i coudn’t really predict what happens from the go+r argument. I can tell what a numeric mode means, but not yet what an operator will do…
Also, i have no idea what XMLRPC is.
On the bright side, still no hacks implemented!
Thank you for your help.
Most restrictive working permissions? I’ll assume that you still want to be able to make changes to the files yourself….
Most files will need to at least have: rw—-r– (octal 0604). This lets you read and write the files, allows the web server to read them, and blocks all access for other users in the same group as you. Usually you use 0644, which allows group read, but you asked for most restrictive 🙂
Next: if you want to use the weblogs.com.cache file, you’ll want it to at least be rw—-rw-, or 0606, which allows the web server process to write changes to it.
Lastly: if you want to be able to upload images via the web interface, your images directory will need to at least be rwx—-wx, or 0703, which gives the owner full permissions and gives the web server write and “access” permission (on directories, the ‘x’ bit means that you can access the files under the directory, but you can’t read the directory’s table of contents). Actually, I’m not positive that the web server might not need read permissions for the directory. So if those permissions seem to cause problems, use 0707 instead.
Okay, one other thing: If you want to be able to modify your template files (index.php, wp-layout.css, etc) via the web interface, then you’ll need add write permissions for ‘other’ on those, as well (rw—-rw-, or 0606).
BTW, the ‘go+r’ format means “group and other, add read permissions”. This shorthand format is very useful when you just need to alter existing permissions on a group of files. There are single-letter flags for ‘user’, ‘group’, and ‘other’. So, you can recursively restrict permissions via ‘chown -R mydir go-wx’ (which removes write and execute permissions for anyone but the owning user).
😛 What dougal said! Wow, I should add your post to my website of good tutorials! Good explaining!
Thread Starter
eddie
(@eddie)
Hi Dougal,
Thank you for your detailed answer.
Please bear with me: from it i understand that most FILES must allow “others” to read and write to them – and that the web server is regarded as “others” (that is a surpirse to me). Am i right? If i am right up to now: if i let “others” read and write to the files then i guess it doesn’t make any difference for security to let “group” too, that makes 0644.
As for DIRECTORIES: my WP instalation is inside a public_html/wp/ directory. I understood that the web server is regarded as “others” and also that it must be able to write to most files (from the above paragraph, if it is right). So i must conclude that the web server and all “others” must have permissions to write and access most or all directories in the instalation, so it would be 0703 for most or all directories (or 0733 if i don’t mind the “group”)? If it must be 0703 and it is about the same being 0733 – and if anyone can get WP and know the filenames for the code files, then it doesn’t matter if “others” can or not read the directories’ tables of contents, and i can just use 755 anyway…
Well, what i was thinking about when i first asked was: if “others” can read an write to the code files in my instalation, and if anyone can know the filenames used (as wp is freely available) and “others” can access the directories, then any ill-intentioned individual can just alter the code in any way he likes!
Am i being paranoid here? Sorry for the hassle, this is my first go with servers and all, and i only now a little about permissions from using Mac OS X.
Thanks again.
Anonymous
lazyweb invocation – a script that tightens wordpress security
