Permissions are Powerful

Every webmaster needs to know how Unix permissions work whether they run Joomla or any other CMS - even if they run no CMS at all.

This is just about everything a Joomla user needs to know about correct file and folder permissions on a website.Yes, this is filed under Basic Training. Strap in, this is going to be more painless than a trip to the dentist. Heh, heh.

The only hard part to permissions, isn't hard, it's just math. You will understand this. Let's go: you're about to learn how to add and subtract in the base-8, or octal, numbering system. Trust me - you've got this.

It's just a matter of reading numbers differently.

Decimal: What You Know

Normally we do numbers in base-10, or decimal. In base-10, the biggest digit is 9. When we do 9+1, we roll over to put +1 in the "tens place" which is so-named because it's base-10 and it's the first higher-order position. The base-10 number 100 is 10x10 and it's called the hundreds place because that's what it counts.

This stuff you already know, is why learning base-8 will be easy.

Octal: One Simple Difference

In base-8, the largest digit is a 7. That means if you add 7+1 in base-8, it rolls over, and you get the base-8 number 10.

This is because the left-most digit in a 2-digit number is the "eights place" in octal, not the "tens place" as in decimal.

In both cases, the number which looks like "10" is equal to "the biggest digit you can put in the ones place, plus one."

So, the base-8 number 10 (or base-8 math 7+1) is equal to the base-10 number 8 (or base-10 math 7+1). It's just a different notation system; you have fewer digits ending at a smaller number, so you roll over sooner.

They scale up for every position in a multi-digit number. The base-8 number 100 is actually base-10 math 8x8, for the same reason as the base-10 number 100 equals base-10 math 10x10.

Similar to above, no matter which numbering system, the number which looks like "100" means "max-out both of the lower-order digits, then add 1."

By the way, some of you just did base-8 multiplication on reflex, just by learning how to read the numbers. Yes, the base-8 number 100 is equal to the base-10 number 64. Go you!

Permissions Are Octal, But...

Now you can do math in octal; next I'll explain permission notation. It's not a straightforward 3-digit base-8 number; which is good news, because it means permissions don't require any large-number math in octal. Whew!

Each digit in the Unix permission notation refers to a type of user. We normally see permissions regarded as 3-digit numbers, but there's actually a fourth in front - it's for advanced users and we're not even going to talk about it any further. The three-digit notation refers to, in this order:

  • Left-most: the file/folder's owner
  • Center: users who are members of the file/folder's group
  • Right-most: all users

Quick aside: that third slot, "all users," is why permissions are so powerful and important. Hopefully you've heard someone say, by now, "777 permissions are evil!" or my favorite attention-getter, the phrase "horribly insecure." More on that below.

Now you know the digits are actually slots; but what goes in the slots? The answer to that, is the reason you learned octal math. Each digit is derived by adding together the numbers which correspond to a specific permission:

  • 4 = read
  • 2 = write
  • 1 = execute

Each combination is unique:

  • 1 = execute; e.g. a folder users can descend into but not read or write-to (there are uses for this)
  • 2 = write-only; rarely used, e.g. certain shared log files
  • 1+2 = 3 = execute+write; e.g. a staging folder for anonymous uploads to be processed by staff
  • 4 = read-only
  • 4+1 = 5 = read+execute; e.g., software you can run but not update
  • 2+4 = 6 = read+write; e.g. a document or PHP source file you own
  • 1+2+4 = 7 = read+write+execute; software you can both run and update

Beware the Sixes and Sevens

Now, to explain why 777, or any number ending in 6 or 7, is evil for security purposes. That third slot means "all users" and a 6 or 7 gives permission to write (including create, edit, and delete). This means random Internet users need only breach access against any account on your server, to gain write-access to your files.

They don't even have to gain access via your site or your accounts -- "all users" means any user account held by any customer on that computer. With that, they can usually cause real harm to, or with, your site. Sixes and sevens in the third slot are evil!

Users and Groups

Finally, about users and groups. You might already understand most of what you need to know about users: your user account lets you access FTP. In the Unix context, the user and group are two aspects of ownership; taken together, ownership and permissions are two sides of the same coin.

Besides file ownership, and related to it in this lesson, programs also use the user-and-group model. Every running program is owned by a user and a group. This is important because the web server is a program, and needs to be able to write the web files, including all of Joomla's files and folders.

If you use shared hosting, this might never come up; most good shared hosting setups don't make it possible for you to mess up file/folder ownership anyway. However, if you have multiple FTP users, there's a chance files/folders can be owned by both the wrong user and group, or owned by the wrong user and right group -- but for the group permissions to be too restrictive. Both cases cut apps like Joomla off from vital internal functions.

When in doubt, the user and group which own your main folders will only be changed if there's been an accident. If you are able to save changes in Joomla's Global Configuration, then the ownership of configuration.php is at least somewhat correct (unless its last digit is a 6 or a 7!).

However you access your site's files -- FTP, shell, hosting File Manager, etc. -- you will have some way of changing the owner (or "user") and group of your files and folders, if need be. If you somehow lock yourself out of controlling certain files, your hosting File Manager should be able to bypass those mistakes -- otherwise you may simply need to use a higher-level FTP username, or you may need to call your host's support team.

In Summary

Here is what you've learned:

  • How to calculate permissions (and where to find a handy reference breaking it all down!)
  • How the 3-digit permissions notation works
  • Who the "user" and "group" slots in that 3-digit notation, apply to
  • Why and how to change the user or group which owns files in your web space
  • Why the third permissions digit of your website's files and folders should never be a 6 or a 7!
  • How to read octal numbers and do octal math (you nerd!)