Minimum Viable File Permissions

Posted on by Rebecca
403 notice

The alpha version of a program I’m writing uploaded with whackadoodle file permissions, and after that experience and considering security for database connection information, I became curious about the minimum permission level for various kinds of files that would still allow the page to load and operate.

I wrote a test page that has a linked stylesheet, image, and included PHP file. It has a script in a separate file that loads another PHP file via AJAX. All told, there were six files. I knew from my odd uploading experience that 600 was sufficient for an included PHP file, though not whether it was necessary; I hypothesized the JS, CSS, image, and main PHP file would need laxer permissions than the included PHP file, but I did not know about the loaded PHP file. I uploaded my page to my server and tweaked permissions in one browser while testing the page in a different (logged out) browser.

Here are the results of gradual stepping-up of permissions from 400, user-only read-only, adding read access for the world and execute access if needed. The minimum permission level that each file needed was as follows:

  • Containing folder: 101. This was an afterthought. 400 and 404, read access for user or user+world, gave a Permission Denied error, but 101 loads everything. Oddly, 001 loads a blank page. However, on the back end, you need 501 to be able to peek inside the folder and see anything – otherwise it tells you the folder is empty.
  • Main PHP (index.php): 400. This surprised me. I thought perhaps this would mean my server wouldn’t let me edit the file, but that was fine. This also allowed the JavaScript program to write to the page.
  • Included PHP (included.php): 400.
  • PHP loaded by AJAX (loaded.php): 400.
  • Stylesheet (style.css): 004.
  • Image (test-image.jpg): 004.
  • Script (ajax-loader.js): 004.

Of course it’s somewhat silly to have permission settings that are lower for the user than the world, but this was an academic exercise. It’s also true that my page isn’t doing sophisticated things, so write access was pretty much irrelevant. However, I found it interesting to see how low you can set permissions – execute access for user and world for folders, and read access for either world or user (depending on whether it’s a client-side or server-side file, since the server is effectively the user) for files.

If you’re curious, you can visit the page itself or see the code on GitHub.

Leave a Reply

Your email address will not be published. Required fields are marked *