An introduction to Linux Access Control Lists
The security category is particularly important in setting up all kinds of sites, to the extent that many site managers bear huge costs to ensure the security of their databases. In common language, one of the foundations of site security is correct and basic coding and correct and logical access to site files and folders.
This tutorial will explain the Linux access levels to access the site’s folders and files, so stay with us!
Security is one of the most important things for those who design a site. Because the server used for sites designed with PHP is mostly a Linux server, it is necessary to know about Linux permissions or permissions to access files and folders. Learn more because the entire Linux security system depends on these permissions.
Of course, if the permissions are inappropriate, it can be dangerous for the system, and an insecure host is equal to access by hackers and, as a result, the loss of the site. We have 3 Linux access levels:
- Read: The ability to read
- Write: The ability to write and make changes
- Execute: The ability to execute the file
And we have 3 Linux access groups:
- Owner: owner or admin
- Group: people who are members of the Group or members of the Group who are members on the site
- Public: Others or other visitors
The numbers that are written for the licenses are based on eight. The first, second, and third digits (from left to right) specify owner, Group, and public permissions. Each of these three digits, taken to base two, becomes a three-digit number in base two, whose first, second, and third digits (from left to right) specify Read, Write, and Execute permissions.
Now let’s define 777:
owner 7 = 4 + 2 + 1 = read + write + execute
group 7 = 4 + 2 + 1 = read + write + execute
others 7 = 4 + 2 + 1 = read + write + execute
And this is what is displayed in front of the files and folders in the host’s control panels.
A very important point: Be careful that the 766 permission is not interesting because it allows Group and Public to do anything but does not give execution permission to the file owner!! Such a license is not used anywhere, be careful not to issue such a license when working with licenses!!! Do not make the same mistake about license 666.
Further explanation: Suppose we set permission 777 for all the files and folders of the site. I must say that the normal visitors of your site only have the facilities and the web interface you provided to them on the site, so they cannot do anything in this way.
But setting the 777 permission can be dangerous in other ways. That is, if someone hacks your site and can execute the commands he wants with PHP, the 777 permission will help him to have unlimited access to much more things and all the files. And the directories can read their contents, delete them, or manipulate their contents, and maybe in this way, it can hide the hacking of the site much more easily and abuse your site and users for a long time. For example, it can delete the contents of your PHP files. Manipulate and, for example, use spy codes in them. Therefore, apply only the permissions that are necessary to the files and directories that are needed.
It is not just a matter of visitors; it is possible that the owners of other sites on your shared Linux server with the same account and access to server software and services can do much more. Access to your files is not necessarily possible only through PHP, for example, setting open_basedir prevents their access, but it can also be through other methods and software, and the necessary security settings for those services may not be done correctly. . For example, the party can run a real executable program on the server and may be able to bypass many restrictions through that program.
Here, if your permissions are 777, there is certainly a much higher risk for spying, manipulation, and secrecy. So, I repeat, only apply the permissions that are necessary to the files and directories that are necessary. In other words, every file or folder on the Internet has a level of access.
Main sections of Linux access levels
As a rule, you do not want all people to have access to your site’s files and folders. The access level or permission consists of two main parts:
- User group
- License to use
User group
From the perspective of your website server, there are three user groups:
- The first is the User or, in some cases Owner. This user group means you. Or, in other words, someone who has entered Cpanel with a username and password or has access to the site’s folders with an FTP or Web Disk username.
- The second Group contains the users who have access to your site, where your Cpanel has only one username and password, which is you. In other words, the Group here almost does not include anyone!
- And the third Group is World or Public. This Group means all those who have access to the Internet. Now you have to issue permission for each of these three groups.
License to use
As mentioned before, there are three usage licenses:
Read or the ability to be read, if you activate Read for one of the three groups above, that Group has the permission to read the desired file or folder. The numerical value of the reading is 4 (this will be explained).
Write the permission to record changes. If this permission is given to one of the three groups above, that Group has permission to change the desired file or folder. The numerical value of the change register is
Execute or permission to execute the file. If this permission is given to one of the three groups above, that Group has permission to execute in the desired file or folder. The numerical value of the file is 1.
The numerical values are shown below. Each of these licenses has a numerical value; the total numerical value for a group is obtained from the sum of these three numbers.
For example, if it belongs to the User group, it will be 1. +2+1. Given all three permissions, the access level for this Group will be equal to number 7, or if we only allow this Group to read and record changes, the access level will be Group to 6.
Total access level: It is a three-digit number that is obtained by combining the access levels of three groups, User, Group, and World. For example, the access level of 611 for a file means that you can read and record changes in that file. Yes, Group and others on the Internet only have permission to read this file. Setting the access level of site folders and files is very important. Because by making a mistake in this matter, you may allow hackers to penetrate the main parts of your site or remove a whole folder or file from the reach of everyone, even yourself!
If you set the access level of a fine equal to 000, you can only delete it! You won’t even be allowed to change its access level again! In general, in summary, the meaning of public access levels is:
For files 5000, no one has access to this file, and only you can delete it—5000 except you. No one has access to this file.
o044 You have permission to work with this file, and others can only run it. o000 A special mode removes some files from the access of software installed on the site. o600 All people have all kinds of access to this file. Have. This level of access is only for special situations!
For folder 5000, no one has any access to this folder. o044 No one except you has permission to access this folder, and even the files and folders inside this folder will not be accessible. o611 You have complete access to this folder. You have access, and others can only access the files and folders inside this folder. That is, if only the address of this folder is referred to, a 404 error will be issued. It means direct access to this folder is not possible. o677 You have full access to this folder, and others also have full access. Even if they only enter the address of this folder and the index file is not available, the list of files and folders in this folder will be displayed for them! o666 All people have all kinds of access to this folder. This level of access is only for special situations!
But we suggest the best access level for your files is 611 and for your folders, 711. Of course, for some CMS, the access level of the folders must be 777.