How should file permissions be set?


#1

Dear everyone,
I have been searching this subject for a few days but could not get a straight forward answer.

While installation of OJS, the permission of config file, Public folder and chache folder is set to 777.
What should be the permission of these files/folders once the installation is complete.

Regards
@anupent


Writable file and folders
Security issue: Hacking via submission in OJS 2.4.8
OJS 3.0.2 Installation problem
Issues after update to ojs-3.0.2 (file upload, new submission not working)
DB Error: Unknown column 'context_id' in 'on clause'
OJS 3.0.2.0 installation issue
Recommended Hosting Environment for OJS 3.0.2
Do not continue the registration of the newspaper
Question about permission of folders and files
PHP Errors: Uploading image.png
Submission of File failed HTTP Error
File/folder permissions OJS 3.02
OJS3 usageStats question
After upgrading to OJS 3.1.1.4 files are not found
Turn off article submission system
Usage stats stopped getting collected 4 years back. How to start getting them again?
Securing OJS installations after installation-- How to?
Whitescreen related to locale
Having difficulty upgrading from 3.0.1 to 3.1.0-1
Cómo proteger OJS de hakeos
Problem in installing ojs-2.4.6
Author cannot upload their paper to ojs
Ojs2 has produced an error Message: USER WARNING: Smarty error: unable to read resource: "theme:public/common/header.tpl"
Problem in Ojs 3.0.0 installation
Errors on submission
OJS 3.0.2 Installation problem
Upload problem OJS-2.4.8-1
#2

There isn’t a straightforward answer because so much depends on your hosting environment. Start with your hosting provider’s documentation and support, or with your system administrator, and with the following instructions:

How to set your permissions

In general, you want your permissions set such that your webserver can read and write (recursively) to config.inc.php's files_dir, and to ./cache/, and ./public/. Optionally, for added features and reduced security, you can enable write to config.inc.php, to ./plugins/ and perhaps to the locale .xml files. Your webserver should have read-only access to all other files and directories distributed in the package.

How does Linux do this?

In Linux, permissions are based both on a numeric access control mode, and on file ownership. Understanding this permissions scheme is a prerequisite.

For example, ownership of apache:www with permissions of 750 (rwxr-x---) means that the apache user can read, write and execute; anyone with the www group can read or execute; and the file is protected against access by anyone else. Note that “execute” means two entirely different things for directories than for files!

An Example (for dedicated hosting):

Generally, the ownership of cache, public, and other web-writable directories should be your web user and the web-user’s primary group, for example apache:www-data. Permissions should probably be 750.

The ownership of the other non-web-writable directories should be your user, with either the web user’s group, or with public execute permissions. For example:
myuser:www-data with 750
or
myuser:ourgroup with 755.

Web-writable files would be the same, but without the execute permission:
apache:www-data with 640

Non-web-writable files would be perhaps:
myuser:www-data with 640
or
myuser:ourgroup with 644

But What About Shared Hosts?

With some shared hosts (for example, if your only access is via CPanel or a similar web-based admin tool), you may not have the ability to change the file ownership, and your webserver is effectively running as your user. In that case, you may still have the ability to protect your files by making them non-writable by your own user (even though this sounds counter-intuitive). In a shared host, you will almost certainly want to deny world permissions to your files, but look to the documentation and support for your host in particular.


File/folder permissions OJS 3.02
OJS UPLOAD does not work
File uploading error in OJS 3.1.1-4
Plug-ins in OJS-2.4.8-1
After migration blank screen
Ojs 3.1.1.4 wont install
User not able to review article
Ojs-3.1.1-2 The current role does not have access to this operation
After migration blank screen
[OJS3.0] Unable to upload logo, no image from previous version, broken PDF link
Fatal error: Smarty error: unable to write to $compile_dir
Problem ojs 3.0.2 on centos7
Installing 3.0 file_put errors
File permissions if only FTP access
Author uploading file showing http error
#3

Hi all,

See also the FAQ Entry in the wiki about file permissions.

Regards,
Alec Smecher
Public Knowledge Project Team


#4

Hello, Permission my directory sdh i replace 777 all … but still can not upload image or logo,
Please guide me

Thanks


#5


#6

Hi @taufiq,

Note that 777 permissions can be useful for debugging, but they are never safe to use.

It’s likely that you’re running into a problem with OJS being unable to identify file types. Search the forum for the error message you received; there are lots of threads with suggestions on how to debug/fix.

Regards,
Alec Smecher
Public Knowledge Project Team


Import xml out of memory
#8

Currently with the version of OJS 3.1 I have the same problem, can you tell me how you solved it?


#9

Currently with the version of OJS 3.1 I have the same problem, can you tell me how you solved it?


#10

Which server you are using Linux or Windows. When using windows sometimes there is mime type error.


#11

Do we have an script somewhere to reset ojs’s files/folder permissions?
If not… don’t you think it could be a nice addition for our toolbox?
If you point here how the permissions need to be (I recognize I always had doubts if I’m too restrictive or permissive) I don’t mind to do implement this as a bash script.


#12

Hi @marc,

Unfortunately between different SAPIs (FastCGI, CGI, mod_php, suexec), permissions models (Windows, standard *NIX, SELinux), and PHP configurations (open_baseurl etc), there are far too many permutations to consider. Plus a command-line PHP script vs. the web front end will often run as different user accounts. Essentially it’s up to the website’s administrator to know how permissions work in their environment and I’m not sure there’s a good alternative.

Thanks,
Alec Smecher
Public Knowledge Project Team


#13

Then… let me focus in a very specific stack: linux (alpine) + mod_php5
I’m thinking in a script to fix issues I’m finding with the docker container I’m building.

A RTFM is much appreciated. :wink:


#14

Hi @marc,

mod_php is generally hard to secure because all PHP scripts run as the same user account – generally apache. A break-in in e.g. one user account’s Drupal or Wordpress or OJS installation means a compromise to all PHP apps on that system, even if they’re managed by other user accounts.

File permissions in mod_php are relatively simple, though. You generally just have to chown/chgrp everything mentioned in docs/README to apache/apache.

Regards,
Alec Smecher
Public Knowledge Project Team


#15

As far as docker’s philosophy is compartmentalization (one dock for each app, even for each journal) it won’t be a problem. Long time ago since I open the README. Thanks.


Error while installing ojs version 3.1.1.2 warning file_put_content on centos 7
Add galley http error