tags:

views:

318

answers:

3
+1  Q: 

Unix permissions, read vs. execute (PHP context)

I have a php script which needs to connect to a database. The credentials for the database are stored in another php script.

If I set the permissions for the credentials file to 661 so that Public has execute permission but not read permission, does this allow the main script to access the credentials and connect to the DB while preventing someone with a user account on the server from viewing the contents of the credentials file?

I guess I'm confused as to the distinction between read and execute. Does a php script (running as www or something similar) need read-permission to include another php script and use any content inside? Or does it just need execute? Does read permission implicitly give execute permission?

Sub-Question: If I set all of my scripts to only have execute permission and not read, are there any pitfalls I should expect? This is assuming that I will leave any files I need explicit read permission (data files) set to read.

+1  A: 

Scripts are read, not executed. Execute permission for scripts tells the loader or kernel to read the shebang line and pass the script to the named interpreter.

Ignacio Vazquez-Abrams  2010-01-06 02:36:46
So if I have a script in a folder called "secrets" and have secrets set to execute-only, can someone who once had read-access to secrets (but now doesn't) plug a file name in directly to something like nano and still see the contents? This is my real concern, I guess.
Anthony  2010-01-06 02:40:17
If "secrets" is a script then it can't be run if the user running the interpreter does not have read access to the script. Whatever permissions it used to have is irrelevant; the only time the permissions matter is when the file is opened, either for reading or for running.
Ignacio Vazquez-Abrams  2010-01-06 02:42:53
A: 

As far as files are concerned, execute permission is irrelevant to you - the user account your web server is running under needs permission to access and read the files in question. In order to traverse into a directory, the user will also require execute permission on that directory.

If you are trying to make your scripts readable by the web server (let's say you're running as the account "www" which belongs to group "www"), and not by other users on the system, here's what I would do (assumes your account is "myuser"):

# Change owner to "myuser" and group to "www" for file(s) in question
chown myuser:www config.php

# 640: myuser has rw-, www has r--, world has ---
chmod 640 config.php

If you want to prevent the world from reading any file in a "secrets" directory, just disable the execute bit:

# 750: myuser has rwx, www has r-x, world has ---
chmod 750 secrets

If you set all your scripts to have execute permission but not read permission, nobody can do anything useful with them (including the webserver) ;-)

pix0r  2010-01-06 02:49:21
Note that if other users have access to run their own PHP code thru the web server then this won't stop them. In that case maybe look at open_basedir or a solution that allows you to run different vhosts/apps as different users.
oops  2010-01-06 02:53:59
Yeah, on closer inspection, I found that www was a member of the group for the directory I was basing my confusion on. I wasn't trying to hack it, I just wanted to emulate what they had done but without just mirroring it.
Anthony  2010-01-06 03:31:39
+1  A: 

Here are a couple of clear tables on what the permissions bits mean on a Unix machine. Unfortunately, scripts must be at least readable in order for them to run, but usually only by the webserver and webmaster.

 2010-01-06 03:30:45

related questions

Obscuring network proxy password in plain text files on Linux/UNIX-likes
Why doesn't **find** find anything?
Getting stack traces on Unix systems, automatically
Differences between unix and windows files
How do you do a case insensitive search using a pattern modifier using less ?
Using Visual Studio to develop for C++ for Unix
How do I generate ASCII codes 2 and 3 in a Bash command line?
What's in your .procmailrc
Allow user to set up an SSH tunnel, but nothing else
What is PHP Safe Mode GID?
How to avoid redefining VERSION, PACKAGE, etc.
How can I encode xml files to xfdl (base64-gzip)?
Faster way to find duplicates conditioned by time
Date arithmetic in Unix shell scripts
Using Xming X Window Server over a VPN
Windows Equivalent of 'nice'
How do I configure and communicate with a serial port?
Choosing a static code analysis tool
What should a longtime Windows user know when starting to use Linux?
How do I use (n)curses in Ruby?
Process size on UNIX
Getting root permissions on a file inside of vi?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
Fastest way to get value of pi