What are the file permissions? (III)

Print E-mail
Technology - Software
Friday, 10 August 2012 02:38

During the last two days we spent some minutes talking about the permissions of files and folders with the idea of explaining its usefulness and the notation that is commonly used (and sometimes tends to generate occasional headache with bits and numbers in octal). As mentioned at the beginning of this series, permits are a access control system to ensure that access to files and folders are allowed only to users and groups that have defined, creating rules for the file owner, the group owned and other users of a Unix, Mac OS X or Linux (because the latter two are compatible POSIX ).

keep-out

Now that we handle the concept and notation, the next step is to properly use this resource to improve the security of our system and as a practical application we will focus on WordPress and what might be considered an optimal configuration of permissions.

General Guidelines

In the case of WordPress, poor management of files and folder permissions can be a source of more than a headache since this type of error can be exploited by people with no good intentions and, for example, exploit these vulnerabilities to insert malicious code on our website (which Google may penalize and block access from Chrome).

In the vast majority of Linux hosting services, users have some kind of control panel to manage, web, files and permissions for them (in addition to also have access via SSH or FTP) as at any time, have the opportunity to manage any kind of change without much complication. Generally, we recommend the following guidelines:

  • The files have 644 permissions, ie rw-r--r--
  • The directories have permissions 755, ie rwx-r-xr-x

Temporary exceptions, and therefore never permanent, we should not change this scheme to make it more loose and permeable. In rare cases it may be necessary for users other than the owner of the directory have to write it and maybe we have to grant more permits until the "number of the beast": 777.

777, damn permission

The amount to 777 permissions rwxrwxrwx , ie full permissions to all users and, if a website is a significant security hole fully exposed our WordPress. Avoid strongly use such permits because someone could go to that folder a script executable and could cause enormous destruction because we are giving full control to all users.

Generally, if a WordPress plugin requiriese such permits, the first thing to ask is whether or not we are before a trap because this requirement is excessive and potentially dangerous. In fact, we may find applications (or development) that tell us that need this type of permissions to allow users to upload files to a specific folder on our server if necessary and if no alternatives existed, it will be important to use a . htaccess file that prevents someone, for example, can upload executable code: 

 <files *.php> order Deny,Allow deny from all </files>

But to the extent possible, avoid using the permissions 777.

Improving the security of our hosting

While the general rule is to assign permissions 644 to 755 files and directories, WordPress recommended us to review the permissions of some files critical to apply special rules to improve the security of our blog:

  • The file wp-config.php , which is found in the WordPress root and contains the connection parameters to our database, you must have permissions 600, ie rw------- permissions to read and write only for the owner.
  • The file .htaccess that we are using (which also serves as a safety measure) must have permissions 604, ie rw----r-- read and write permissions for the owner (there are plugins that can help us change) and reading by other users.
  • The php.ini file, with which we can apply PHP specific settings in the folders of our hosting that are level and below that file, you also have 600 permissions, ie rw------- permissions read and write only to the owner.

Some tools support

While we can check our WordPress permits accessing management tools to provide us with our hosting provider, we can also make such checks from the management of our blog thanks to some extensions focused on security , which among its features, check permissions of directories and files:

Among the many available extensions worth checking out WP Security Scan , WebsiteDefender WordPress Security and File Permissions & Size Check and since there are times when interventions are hosting providers that affect permissions, it is worth reviewing our facility permits from time to time.

Picture: Uninform




Font

< Prev   Next >