Apache Server Account: Web Server Secrets, Part 4
Each file or directory, then, has three permissions (rwx) each, for the file owner (user), group, and others. That’s why a Unix or Linux directory listing shows three sets of permissions:
- drwxrwxrwx for a directory, and
- -rwxrwxrwx for a plain file.
drwxr-xr-x 4 genealogist users 4096 Mar 30 19:24 . drwx------ 5 genealogist users 4096 Mar 30 19:20 .. drwx--x--x 2 genealogist users 4096 Mar 30 19:23 cgi-bin -rw-r--r-- 1 genealogist users 8 Mar 30 19:21 .htaccess -rw-r--r-- 1 genealogist users 747 Mar 30 19:21 index.html -rw-r--r-- 1 genealogist users 32 Mar 30 19:23 main.html drwxrwxrwx 2 genealogist users 4096 Mar 30 19:24 members
Three Digits
Unix is all about abbreviations. Vowels are never used when something unpronounceable will do. The first letter will often be used in lieu of the entire word. cp stands for copy, od stands for octal dump (but is what you use for hex dump as well), yes stands for you’re going to be sorry you asked.
So. If you can get a letter to stand for a word, why not have a digit stand for a series of letters each standing for a word or phrase? To a Unix or Linux hacker, that’s called efficiency, and therefore the very height of coolness.
One of the coolest things in Unix and Linux is file permissions. (I’m just giving the tip of the iceberg, you will recall… if you happened to have observed how directory set group id changes from s to S with an nfs mount, you’d begin to appreciate ultimate coolness. However, we’ll leave total coolness for another day.)
Read permission is assigned a value of 4. Write permission is 2, and execute permission is 1. Thus:
- rwx is 7,
- rw- is 6,
- r-x is 5,
- r– is 4, and
- –x is 1.
When you slap user, group, others’ permissions together, you have truths such as:
- rwxrwxrwx is 777,
- rw-r–r– is 644,
- rw-rw-rw- is 666,
- rwxr-xr-x is 755, and
- rwx–x–x is 711.
But, what does this mean??? Finally, I can explain!
Apache Server
On your server, you are one of the users. This makes sense, right? You have an ftp login, and the files in your domain are (mostly) owned by yourself – that is, they’re owned by that ftp login. On a server, the “group” concept really doesn’t matter. Either everybody else is in your group, or nobody is. But it’s Unix or Linux, and that means the “group” part of the permission stuff is still there.
Meanwhile, the Apache server itself is a different user. The server itself owns its own files – and does not own your files. In the choice of “user, group, others”, the server falls in the “others” category. (With one important exception; I’ll get to that exception in just a bit!)
When a surfer blows on in to look at your awesome web page with 300k of fast-loading graphics, what actually happens? That surfer doesn’t actually log on to your server. Instead, that surfer’s browser sends a request to the Apache software which is logged in to your server. More precisely, the Apache software resides on your server, and listens for requests.
When Apache sees that surfer’s request, it figures out which of your files to grab, and feed to that surfer. Can Apache grab everything you’ve got? No, it can’t. First, it’s restricted by the server configuration files, and by your .htaccess files. Second, it’s restricted by your Unix/Linux file permissions. We’ll ignore that first restriction for now, and remain focused on the second.
If the file permission is 644 (-rw-r–r–), that means that “others” can read the file but not overwrite it. Apache is one of those others. What about the directory? Every file is in some directory, and therefore directory permission always counts. If the directory permission is 711 (drwx–x–x), the server can grab the file. If the directory permission is 700 (drwx——), the server can’t touch it.