Understanding file and directory permissions
When you add files and directories to your web hosting space they are assigned permissions - so the server knows who should be allowed access.
Your cPanel account is based on a server that runs a Linux operating system. The basic file permissions system allows you to apply specific permissions for three different Classes of access:
- User - this is your cPanel username.
- Group - this is also your cPanel username - you get your own group.
- Other - everyone else in the world.
The available permissions for each of these entities are:
- Read - allows the contents of the file to be read.
- Write - allows the file to be written to and modified or deleted.
- Execute - in the case of a file, it can be executed (like a CGI script). In the case of a directory, it allows the directory to be opened.
Therefore each file and directory has 9 permissions flags, made up of 3 for the user, 3 for the group, and 3 for everyone else (other.) This is explained graphically below:
Each of the 3 flags (Read, Write, eXecute) is represented by a number - 4 for Read, 2 for Write, and 1 for eXecute. These numbers are added together for each class to give a single digit.
Some examples
When you hear us say that a file should be chmod 600, this means that
- User has permissions to Read (4) and Write (2) we add these together to give 6.
- Group has no additional permissions (0).
- Other users (rest of the world) also have no permissions (0).
File permisions can also be expressed as the three blocks of letters together for User, Group and Other with - indicating that permission is not granted e.g. -rw-r--r-- (the initial - is the directory indicator)
When you hear us say that a directory should be chmod 755, this means that
- User has permissions to Read (4) and Write (2) and Traverse (execute) the directory (1) so 4+2+1 gives 7.
- Group has permissions to Read (4) and Traverse (execute) the directory (1) so 4+1 gives 5.
- Others have permissions to Read (4) and Traverse (execute) the directory (1) so 4+1 gives 5.
This can also be expressed as drwxr-xr-x note the initial d to indicate this is a directory.
How the permissions affect files and directories differently
Understanding what Read, Write and Execute means with regards to a file is pretty self explanatory. However, what these permissions mean to directories and what they mean for the files contained within them is not always clear, so here's some examples to cover that.
In this example, lets suppose the files and directories below are all in the public_html/ directory and all files are set to the same user and group to keep it simple.
├── [drwxr-xr-x] dir1
│ ├── [-rw-r--r--] file1.txt
│ ├── [drwx------] dir3
│ └── [-rw-r--r--] file3.txt
├── [drwxr-xr-x] dir2
└── [-rw-r--r--] file0.txt
If we were accessing this directory as Other (for example the way LiteSpeed accesses static files in your website [css, jpg, htm etc.]) then we would be able to read file0.txt because it is in the home folder and is readable by Other (the rightmost 'r').
We would also be able to access and read file1.txt because the directory containing it (dir1) has the 'x' execute bit set for the Other user. At first you might think that is because dir1 has the 'r' Read bit is set for Other that this would allow you to read files in it, but this is not the case. For directories, the read bit only allows you to list a directory's files NOT open them.
For the above reason we would not be able read the contents of file3.txt - although the file itself gives the Other user 'r' Read permissions, because the parent directory gives no permissions to Other.
In fact, every directory from the root path on the filesystem / all the way to the final parent directory of the destination file must allow execute permissions if you are to be able to read files from within it. Therefore under the following scenario we would still not be able to read file3.txt as the Other class.
├── [drwxr-xr--] dir1
│ ├── [-rw-r--r--] file1.txt
│ ├── [drwxr-xr-x] dir3
│ └── [-rw-r--r--] file3.txt
├── [drwxr-xr-x] dir2
└── [-rw-r--r--] file0.txt
Even though dir3, which contains file3.txt has the 'x' execute bit set for Other, we would never get this far, because dir1 does NOT have the 'x' bit set for Other. Therefore we would be unable to traverse the filesystem any further than the current working directory . at the top.
