File permission method when PHP is executed under Linux

The following editor will bring you an article to clarify the file permissions when PHP is executed under Linux. The editor thinks it’s pretty good, so I’ll share it with you now and give it as a reference. Let’s follow the editor to take a look.

1. File permissions and ownership

1. Files have three types of permissions. In order to facilitate the period , can be replaced by numbers, so that by adding and subtracting numbers, one number can be used to identify the permissions of this file. For example, 7=4+2+1 means that there are 3 permissions for reading, writing and executing, 6=4+ 2. It means there are read and write permissions but no execution permissions, etc.

#2. rbac permission management of Lenovo web application, etc. There is also user permission management under Linux, and users have users Name and user group. Generally, when a user is created, a group to which the user with the same name belongs will also be created.

First log in with the root account and create a new directory and a file

#新建目录
mkdir abc
#新建文件
touch abc.txt
#查看
ls -all

When you check it, you will find:

#d开头的为目录，-开头为文件，还有l开头的为连接等
drwxr-xr-x  2 root root 4096 Jun 6 10:23 abc
-rw-r--r--  1 root root  0 Jun 6 10:23 abc.txt

First look at the blue part above. The first digit is the identifier. Remove the first digit and separate every three digits thereafter. Take the abc folder as an example: d | rws | r-x | r-x

So the abc folder indicates that owner owns rwx (7), group owns rx (5), and other owns rx (5).

Similarly, the red part in the file above is the name of the owner and the name of the group to which it belongs. That is, the owner of the abc folder is root and the group to which it belongs is root. At this time:

a. If the root user accesses the abc folder, it is equivalent to the owner and has 7 permissions.

b. If a new user name test user group is root. Accessing the abc folder is equivalent to group, with permissions of 5

c. If a new username test and the user group is test access the abc folder, it is equivalent to other, with permissions of 5

2. The role of each file permission

I originally wanted to test and explain, but it’s too troublesome, so let’s just tell you the results. You can create a new user yourself and then modify the permissions to test it yourself.

1. Directory

a. Enter the directory, that is, the cd command. The required permissions are execution permissions (x)

　b. View the files in the directory, i.e. ls command, the required permission is read permission (r)

　c. Create and delete folders/files in the directory, i.e. mkdir/touch naming, required The permission is write permission (w)

By the way, the directory only affects the next level, and does not affect generations. For example, a directory abc/sub/, if abc does not have w permission, but sub has w permission, You can create files in sub. Of course, abc also needs to have , will only be affected by sub.

Generally, our directories will be given 5 (rx) permissions, which are read and execute permissions. Only directories such as image uploading or caching that need to be created will be given 7 (rwx) permissions

2. File

a. The file can be opened with the cat/vim command. The required permission is read permission (r)

b. File modification can be opened and saved with the cat/vim command. The required permissions are write permissions (w)

c. File execution can be executed directly./abc.out etc., the required permissions are For execution permission (x)

What needs to be explained here is that PHP (or shell, etc.), whether it is command line execution or web execution, is called execution. It actually reads the file and parses it in the PHP kernel. , so as long as you have read permission (r).

Generally, our files will be given 4(r) permissions, which is read permissions. Only logs, caches, etc. that need to write content to the file will be given 6(rx) permissions

The reason why the 755, 777, and 644 permissions are not mentioned above, but only a single permission, is because the permissions of your website directory cannot be guaranteed to be related to the user used during execution, which means that the user during execution may be owner, it may be group or other

3. Permissions when executing PHP

We must have it when we connect to Linux via ssh You must have a username to log in. Similarly, if PHP wants to process PHP-related files, it must be operated under a certain user. Where is the user created or defined? It is usually created when the PHP environment is installed, for example. Environments such as apache and nginx will create users and user groups by default. This user is used when reading PHP. You can confirm by viewing the configuration file:

#apache在配置文件httpd.conf
User www
Group www
#nginx在配置文件nginx.conf
user www www;

Or view the process by naming:

#查看apache进程
ps -ef|grep httpd
#查看nginx进程
ps -ef|grep nginx
#查看php-pfm进行
ps -ef|grep php-pfm

Taking apache as an example, it will display:

root   1663   1 0 09:14 ?    00:00:00 /www/wdlinux/apache/bin/httpd//主进程
www    1697 1663 0 09:14 ?    00:00:05 /www/wdlinux/apache/bin/httpd//子进程
www    1698 1663 0 09:14 ?    00:00:05 /www/wdlinux/apache/bin/httpd

The first line shows which user is executing it, mainly under non-root. The above description is that the www user is running the apache process to process php files.

这里需要注意的是，如果有安装php-pfm，则应该还需要查看php-pfm执行时的用户名及用户组。（没有安装，所以没实践过）

默认的可能是nobody或者apache等其它的用户及用户组，上方是已修改过的。此时应该在网站目录中用ls-all来确认下网站文件是属于哪个用户，分几种情况说明下吧：

a、例如网站所有者是这样：

drwxr-xr-x  2 www www 4096 Jun 6 10:23 system
drwxr-xr-x  2 www www 4096 Jun 6 10:23 tmp
-rw-r--r--  1 www www  0 Jun 6 10:23 index.php
...

网站所有者为www，而php执行者也为www，那说明是具有owner权限，上方system文件夹中755中的55根本不起作用，只要是7xx就会以7（rwx）的权限来执行。

b、如果网站所有者是这样：

drwxr-xr-x  2 test www 4096 Jun 6 10:23 system
drwxr-xr-x  2 test www 4096 Jun 6 10:23 tmp
-rw-r--r--  1 test www  0 Jun 6 10:23 index.php
...

网站所有者为test，所属组为www，而php执行者为www，执行组为www，那说明是说在同一组中，具有group权限，上方system文件夹中755中的7和5不起作用，只要是x5x就会以5（rx）的权限来执行。

c、如果网站所有者是这样：

drwxr-xr-x  2 test test 4096 Jun 6 10:23 system
drwxr-xr-x  2 test test 4096 Jun 6 10:23 tmp
-rw-r--r--  1 test test  0 Jun 6 10:23 index.php
...

网站所有者为test，所属组为test，而php执行者为www，执行组为www，那说明是说根本没什么关系，具有other权限，上方system文件夹中755中的75不起作用，只要是xx5就会以5（rx）的权限来执行。

所以不能简单的说修改权限为755，644什么的，还需要确认程序的执行者和网站的所有者才能确定权限。

目前好多集成环境为了省事（嗯，lanmpv3等），将php的执行权限和网站所在目录都设置为www，此时一般创建完目录后为755，创建文件后为644，当php执行时，起作用的目录权限为7（所有目录拥有创建删除权限）和文件权限6（所有文件具有写权限），这种是不是挺不安全的？正常应该是目录为5，文件为4，当有特殊需求时才将权限设为7。如果出现上方说的这种情况，修改的方法一是修改apache/nginx的用户和用户组，二是修改网站文件的所有者和所有组这两个方向来修改，以确保网站的安全。

以上，只是基础的权限说明。

The above is the detailed content of File permission method when PHP is executed under Linux. For more information, please follow other related articles on the PHP Chinese website!