Wordpress has a good article explaining unix file permissions. Read it and you will understand its basics. In short (and not theoretically correct):
Unix systems define 3 different "roles": user, group, and world. Especially the "world" seems to confuse people.
Each directory of AND files (which are both nodes and not so different on Linux systems) is assigned to a user and group. You can see the user and group as the "owners" of a particular file / directory (I will talk about the "nodes" further, because it does not really matter). File permissions determine who can do what with the nodes. Example:
The index.php file is assigned to the user "aso" and the group "www-data" and has a way to access files 644. This means that user (6) has read and write permissions, the group has only read permissions (4), as well as the "world" (the last 4 of the three digits).
Now you must first understand that every user on the * nix system is part of a group. The name of the group sometimes matches the username, but A GROUP is ANOTHER ELEMENT. Thus, it is possible that you have a user as well as a group named "aso".
File permssions are constructed from the "bit mask" as follows: read permissions are indicated by the number 4, written to 2, and executed to 1. Any combination can be made of this. In the example, write and execute permissions are assigned using 3 (write = 2, execute = 1), and read and execute permissions are designated 5 (read = 4, execute = 1).
Let's see what this means, and I must be fair to say that I cannot be complete in this matter. Please use Google if you need a full story.
If I create a file on my * nix system, it is automatically assigned to me (my user) and to the group of which my user is a part. Having 644 permissions, this means that I (logged in with my own user) can read the file and can change it (write). But I do not have execute (x) permissions. However, this does not matter, since this only applies to executable scripts (shell scripts, in most cases with the .sh extension). The group to which the file belongs ('www-data') has read permissions, so it cannot modify the file. Mir also has read permissions.
Please note that a user can be part of several groups, and since such rights to nix files have a limited scope: you can assign write permissions to group 1 and allow read only to group 2. In traditional file systems, this is not possible. However, file systems such as reiserFS and Ext3 can use the extended ACL to do this. This is a different story.
What does it mean? This is easier than expected if you understand what the assigned rights mean and what is the difference between a node file and a node directory.
Files
- Read: Ability to read content
- Record: ability to change (write and delete) content
- Run: Ability to execute a file (execute a script with all possible consequences)
Catalogs
- Read: Ability to read its contents. This means: a list of node names, but NOT the contents of the nodes, type, etc.
- Recording: the ability to add / delete files
- Run: Ability to list its contents, including type, last modified date, etc.
Get back to your business. If you have the usual setup (Linux server with Apache and PHP as a module), your files will be assigned to your ftp user and the www-data group (the Apache group works from). You yourself need to read and write permissions (since sometimes you want to change the file), but DOES NOT NEED execution permissions (since PHP - or HTML - these are not executable files). So for the user you will need 6 (read = 4, write = 2, combit 6). For the group user, you only need read permissions, since Apache (or the PHP module) only needs to read the contents of your php script. Any other user in the system has nothing to do with your files and as such does not need any permissions (0).
Thus, for ALL of your scripts, 640 permissions are sufficient (read and write for the user, read for the group and no for the "world").
For directories that need your user for all permissions (read = 4, write = 2, execute = 1, 7). What for? Since it should read its contents (node โโnames), it should be able to determine if it is a file or directory of a node (and other properties), and it should be able to add and delete files (you want to add files sometimes, right?). So, we will give your user 7.
However, the group ('www-data' from which the Apache group runs) requires only read and execute permission. Read permissions to list contents (node โโnames) and execute permissins to display other properties (node โโtype, modification time, etc.). It does not need write permissions, because usually you do not want PHP (Apache) to add / remove files from your application tree.
Finally, the "world", which is any other user in the system (which is NOT the same as the world in it has the broadest meaning), does not need any permissions. Why would anyone else on the server need access to your files?
Compatible with 750 (all permissions for the user, read and execute for the group, not for others).
A generalized answer to your question, minimum minimum:
- File Permissions: 640
- Permissions for the directory: 750
But itโs always good, fairly standard and safe enough:
- File Permissions: 644
- Permissions for the directory: 755