WebEnabled File Permissions Overview

The WebEnabled platform runs each website's scripts under a Unix pseudo-user account dedicated to the website's Apache virtual host. This provides operating system level security separation between the websites and it lets us provide you with any and all features of PHP and more. (Many typical shared hosting providers don't bother to do this, running all websites' scripts under the same shared pseudo-user account and thus either completely lacking cross-website security or relying on PHP-level restrictions, which severely limit what features your scripts may use yet are fairly easy for an intruder to bypass.)

Due to the above, WebEnabled allows you to use more restrictive file permissions. We recommend that you use the following permission settings. The numbers are Unix permission masks to be set with the "chmod" command or with its equivalent in a file manager.

Directories - 711 (full permissions for owner, access only for everyone else)

Static content (.html, .jpg, .css, .js, any uploaded files to be served back via the web) - 644 (read and write for owner, read only for everyone else)

PHP scripts (and "include files" such as Drupal modules) - 600 (read and write for owner only)

Any other scripts to be executed by the server(*) (e.g., written Perl) - 700 (read, write, and execute for owner only)

(*) These need to be appropriately named and/or located in a proper directory. Please file a ticket with your very specific requirements if you'd like to run non-PHP web scripts and we'll get back to you with the relevant detail.

A quick way to set correct file permissions on an entire directory tree is by logging in to the shell and running the "fixwebperms.sh" script on the directory tree. (This script is pre-installed on our servers.)

If your web application allows for file uploads via the web, the upload directory does not need to be made group- or world-writable. (This differs from what typical shared hosting setups require.) If the files need to be served back via the web, the directory should be set to mode 711 - just like any other directory inside your website tree. The uploaded files themselves need to be mode 644. If the files don't need to be served back, then the directory should be set to mode 700 (full permissions for owner, no permissions for anyone else) and preferably located outside of your website tree (that is, outside of the public_html directory).

Please note that although these are our recommended settings for best security, the default permission settings on files uploaded to WebEnabled will be acceptable most of the time. With typical file upload mechanisms, directories will become mode 755 (full permissions for owner, list and access only for everyone else) and files will become mode 644 by default. This is only slightly more relaxed than our recommended settings described above. With these more relaxed settings, some protection against another website's scripts or the owner of another website reading your potentially non-public files is achieved through permissions on website pseudo-user home directories, which are by default only readable to the owner and to the web server, but not to other accounts on the system.