What are the methods for controlling php file permissions when executing under Linux?

What are the types of file permissions in PHP? What are the methods for controlling file permissions when executing files under Linux under PHP? In the following article, I will share with you the file permissions method when PHP is executed under Linux.

1. File permissions and ownership

1. Files have three types of permissions. For convenience, they can be replaced by numbers. In this way, by adding and subtracting numbers, you can use just one number. Identifies the permissions of this file. For example, 7=4 2 1 means that it has three permissions: read, write and execute. 6=4 2 means it has read and write permissions but not execute permissions, etc.

2. Lenovo web application rbac permission management, etc., there is also user permission management under Linux. Users have user names and user groups. Generally, when creating a user, a group with the same name will be created at the same time.

First log in with the root account and create a new directory and a file

#新建目录
mkdir abc
#新建文件
touch abc.txt
#查看
ls -all

When you check it, you will find:

#d开头的为目录，-开头为文件，还有l开头的为连接等
drwxr-xr-x  2 root root 4096 Jun 6 10:23 abc
-rw-r--r--  1 root root  0 Jun 6 10:23 abc.txt

First look at the blue part above, the first digit is the identifier , remove the first digit, and separate every three digits after that, take the abc folder as an example: d | rws | r-x | r-x

So the abc folder means that the owner owns rwx (7) , group owns rx(5), other owns rx(5).

Similarly, the red part in the file above is the name of the owner and the name of the group to which it belongs. That is, the owner of the abc folder is root and the group to which it belongs is root. At this time:

a. If the root user accesses the abc folder, it is equivalent to the owner and has 7 permissions.

b. If a new user name test user group is root. Accessing the abc folder is equivalent to group, with permissions of 5

c. If a new username test and the user group is test access the abc folder, it is equivalent to other, with permissions of 5

2. The role of each file permission

I originally wanted to explain it while testing, but it was too troublesome, so let’s just tell the results. You can create a new user yourself and then modify the permissions to test it yourself.

1. Directory

a. Enter the directory, i.e. cd command. The required permission is execution permission (x)

b. View the files in the directory, i.e. ls command, the required permission is read permission (r)

c. Create and delete folders/files in the directory, that is, mkdir/touch naming, the required permission is write permission (w)

By the way, the next directory only affects the next level, not the generation. For example, a directory abc/sub/. If abc does not have w permissions, but sub has w permissions, you can create files in sub. Of course, abc also needs If you have x permissions, otherwise you won't be able to enter, let alone create, but as long as you can enter (by switching root administrators), you will no longer be affected by abc, only sub.

Generally, our directories will be given 5 (rx) permissions, which are read and execute permissions. Only directories such as image uploading or caching that need to be created will be given 7 (rwx) permissions

2. File

a. To open the file, you can use the cat/vim command to open it. The required permission is read permission (r)

b. To modify the file, you can use the cat/vim command Open and save, the required permission is write permission (w)

c. File execution, you can directly execute ./abc.out, etc., the required permission is execution permission (x)

What needs to be explained here is that whether PHP (or shell, etc.) is executed on the command line or on the web side, it is called execution. It actually reads the file and parses it in the PHP kernel, so as long as you have read permission (r), it can .

Generally, our files will be given 4(r) permissions, which is read permissions. Only logs, caches, etc. that need to write content to the file will be given 6(rx) permissions

The reason why the 755, 777, and 644 permissions are not mentioned above, but only a single permission, is because the permissions of your website directory cannot be guaranteed to be related to the user used during execution, which means that the user during execution may be owner, may be group or other

3. Permissions when php is executed

We must have a username to log in when ssh connects to linux. Similarly, php needs to Processing PHP-related files is also operated under a certain user. Where is the user created or defined? It is usually created when installing the PHP environment. For example, apache, nginx and other environments will create users and user groups by default. , and this user is used when reading php. You can confirm it by viewing the configuration file:

#apache在配置文件httpd.conf
User www
Group www
#nginx在配置文件nginx.conf
user www www;

or view the process by naming:

#查看apache进程
ps -ef|grep httpd
#查看nginx进程
ps -ef|grep nginx
#查看php-pfm进行
ps -ef|grep php-pfm

Taking apache as an example, it will display:

root   1663   1 0 09:14 ?    00:00:00 /www/wdlinux/apache/bin/httpd//主进程
www    1697 1663 0 09:14 ?    00:00:05 /www/wdlinux/apache/bin/httpd//子进程
www    1698 1663 0 09:14 ?    00:00:05 /www/wdlinux/apache/bin/httpd

The first line shows which user is executing it, mainly under non-root. The above description is that the www user is running the apache process to process php files.

It should be noted here that if php-pfm is installed, you should also check the user name and user group when php-pfm is executed. (It has not been installed, so I have not practiced it)

The default may be other users and user groups such as nobody or apache. The above one has been modified. At this time, you should use ls-all in the website directory to confirm which user the website files belong to. Let’s explain it in several situations:

a. For example, the website owner is like this:

drwxr-xr-x  2 www www 4096 Jun 6 10:23 system
drwxr-xr-x  2 www www 4096 Jun 6 10:23 tmp
-rw-r--r--  1 www www  0 Jun 6 10:23 index.php
...

The website owner is www, and the php executor is also www, which means it has owner permissions. 55 in 755 in the system folder above does not work at all. As long as it is 7xx, it will be executed with 7 (rwx) permissions. .

b. If the website owner is like this:

drwxr-xr-x  2 test www 4096 Jun 6 10:23 system
drwxr-xr-x  2 test www 4096 Jun 6 10:23 tmp
-rw-r--r--  1 test www  0 Jun 6 10:23 index.php
...

网站所有者为test，所属组为www，而php执行者为www，执行组为www，那说明是说在同一组中，具有group权限，上方system文件夹中755中的7和5不起作用，只要是x5x就会以5（rx）的权限来执行。

c、如果网站所有者是这样：

drwxr-xr-x  2 test test 4096 Jun 6 10:23 system
drwxr-xr-x  2 test test 4096 Jun 6 10:23 tmp
-rw-r--r--  1 test test  0 Jun 6 10:23 index.php
...

网站所有者为test，所属组为test，而php执行者为www，执行组为www，那说明是说根本没什么关系，具有other权限，上方system文件夹中755中的75不起作用，只要是xx5就会以5（rx）的权限来执行。

所以不能简单的说修改权限为755，644什么的，还需要确认程序的执行者和网站的所有者才能确定权限。

目前好多集成环境为了省事（嗯，lanmpv3等），将php的执行权限和网站所在目录都设置为www，此时一般创建完目录后为755，创建文件后为644，当php执行时，起作用的目录权限为7（所有目录拥有创建删除权限）和文件权限6（所有文件具有写权限），这种是不是挺不安全的？正常应该是目录为5，文件为4，当有特殊需求时才将权限设为7。如果出现上方说的这种情况，修改的方法一是修改apache/nginx的用户和用户组，二是修改网站文件的所有者和所有组这两个方向来修改，以确保网站的安全。

以上，只是基础的权限说明。

相关推荐：

php以fastCGI的方式运行时文件系统权限问题及解决方法

The above is the detailed content of What are the methods for controlling php file permissions when executing under Linux?. For more information, please follow other related articles on the PHP Chinese website!