Filesystem permissions

To restrict access to files and folders, any reasonable file system supports the concept of file system permissions. The most basic form is the traditional Unix permissions (and these are what you will most likely be dealing with on your web server). Often we just talk about “write permissions”, which is not quite correct, but mostly what we mean.

Basically, each file and folder has three attributes:

• readable (value = 4)
• writable (value = 2)
• executable (value = 1)

In CMSimple_XH no file needs to be executable, but most folders do (for folders, executable means that the content of the folder can be accessed). The numbers in brackets are the values for the corresponding attribute.

The individual values are now added to obtain the total authorizations. Examples:

• 4 = 4 + 0 + 0 = readable, but neither writable nor executable
• 5 = 4 + 0 + 1 = readable and executable, but not writable
• 6 = 4 + 2 + 0 = readable and writable, but not executable
• 7 = 4 + 2 + 1 = readable, writable and executable

Furthermore, each file and folder has an owner and belongs to a group. The permissions can be set individually for the owner, the group (i.e., all users who are members of this group) and for everyone. So the permissions for a file are noted as three digits.1)

For example, 640 means that the file owner can read and write to the file, any member of the file group can only read the file, and all other users cannot even read it.

This sounds a bit complicated, but in practice it is quite simple, since it is only relevant whether a file or folder is writable or not:

• Files: 4 (write-protected) resp. 6 (writable)
• Folder: 5 (write-protected) resp. 7 (writable)

And it is important which user accesses the file: the owner or someone else. This depends on how PHP is running on the web server. If it is running as FastCGI, then the user is usually the owner of the file, otherwise it is not. You can check the PHP info under “Server API” to see how this is handled on your server.

1) Actually this is an octal number, typically written as, e.g., 0755. For simplification, we will omit the leading zero in the following.

Conclusion

Normally you can rely on the fact that the FTP program and the server settings automatically set all rights correctly, and you don't have to do anything. Only with special configurations, problems and warning messages occur. For these cases, the following “rules of thumb” apply:

If the user is also the owner of the file (for FastCGI), it is sufficient to assign the write permissions only for the owner:

• Folder: 555 (write-protected) resp. 755  (writable)
• Files: 444 (write-protected) resp. 644 (writable)

Otherwise, the write permissions should be assigned “for everyone”:

• Folder: 555 (write-protected) resp. 777 (writable)
• Files: 444 (write-protected) resp. 666 (writable)

If you’re not sure, just try it ;-)

Changing the permissions

The file system permissions can be changed with any reasonable FTP program. How to do this exactly depends on the FTP program (read the documentation!).

Security

Of course, you could give full permissions (i.e., 777) to all files and folders, and CMSimple_XH will work fine. But this compromises security, as others may be able to change a file that should not be changed. Therefore, for maximum security, only the necessary permissions should be given, i.e., all files and folders, except those that need to be writable, should be read-only. Which files and folders need write permissions is explained in the Installation article.