Security is paramount for ecommerce websites and applications since site transactions may include customer credit card data and will almost certainly include physical addresses, email addresses, and other personal information.
Sites developed on Linux or other Unix-like web servers have some basic file security built in. For example, each file is typically created so that only its author can read, write, or execute it. But often it is necessary to change file permissions so that ecommerce content management systems, server plugins, or even server-side scripting libraries can access files or folders.
An example might be server-side caching. Imagine that the site you're building will include a synopsis of the retailer's Twitter tweets or will show the retailer's most recent Facebook activity in a page sidebar. Rather than having your web server ping Twitter or Facebook's web server every time a request is made, you might set up a cache that collects the updated feed activity every hour or half hour. In order to save those tweets and posts, you'd create a new cache folder and grant the system permission to write to and read from that folder.
Unfortunately, web developers, particularly front-end developers, are not always familiar with server file permissions and may grant too much permission, say 777, potentially opening a folder to hackers, man-in-the middle attacks or worse, when all what was required was 764. And what is the difference between 777 and 764? Please let me explain.
Octal Notation
File and folder permissions are often expressed in a series of three numbers, 777, 764, 544, or 444. These numbers are written using an eight- or octal-based notation that includes the digits 0-to-7.
Where file and folder permission settings are concerned, each of the eight digits in octal notation has particular meaning that describes whether or not a user or agent may read (r), write (w), or execute (x) a particular file or folder.
0 --- no permission of any kind
1 --x execute only
2 -w- write only
3 -wx write and execute
4 r-- read only
5 r-x read and execute
6 rw- read and write
7 rwx read, write, or execute
So if a user is granted permission 7, that user has full access to read the contents of the file or folder, change those contents, or, when it makes sense, run the software. But this only explains one digit, and the file and folder permissions in question actually have three digits.
User, Group, and World
In order, the first digit grants permission to a specific user, typically the author. The second digit grants group or category permission—all administrators for example. And the third digit represents other users or, as it is often described, the entire world.
With this in mind, granting 777 permission means that you are giving the user, the group, and the world full access to the file or folder, which can be risky depending on what the folder or file does or contains. Likewise, 744 gives the author full access, but restricts everyone else to just reading the content.
Which Permission Settings Should You Use?
Of course, knowing which level of permission to grant is not easy and will likely vary from project to project. But at least now you're informed enough to make a good choice.
Resources
- Brian Hatch's article, Linux File Permission Confusion
- Groups explained in The Linux Cookbook
- Red Hat's user, private, group scheme for permissions
- WordPress codex on changing file permissions
- How Do UNIX File Permissions Work, from Joomla documentation
- Unix permission help from Zzee
