Secure File and Directory Permissions

Importance of Secure File and Directory Permissions

File and directory permissions determine who can read, write, and execute files on a server. Improper configurations can expose sensitive data, allow unauthorized modifications, or provide an entry point for attackers. Ensuring proper permissions enhances security, protects user data, and reduces the risk of cyber threats.

Understanding File and Directory Permissions

1. Permission Types

File and directory permissions are usually categorized into three types:

• Read (r) – Allows viewing or reading the file contents.

• Write (w) – Grants permission to modify or delete a file.

• Execute (x) – Enables execution of a file (e.g., scripts, applications).

2. User Categories

Permissions are assigned to three categories of users:

• Owner – The user who created the file or directory.

• Group – A collection of users who share access to the file.

• Others (Public) – Any user with access to the system.

3. Numeric Representation (chmod values)

Permissions can be represented using numbers:

• 4 – Read

• 2 – Write

• 1 – Execute

Summing these values determines the permission level:

• 644 – Read & write for owner, read-only for others.

• 755 – Full control for owner, read & execute for others.

• 600 – Full access for owner, no access for others.

Best Practices for Secure File and Directory Permissions

1. Secure File Permissions

• Set 644 for most files (read & write for owner, read-only for others).

• Set 600 for sensitive configuration files (owner-only access).

• Avoid setting 777 (full access to everyone) as it allows unauthorized modifications.

2. Secure Directory Permissions

• Set 755 for public directories (owner can modify, others can read & execute).

• Set 700 for private directories (only the owner can access).

• Restrict access to system directories with 750 or 700 to prevent unauthorized execution.

3. Restrict Access to Configuration Files

• wp-config.php (WordPress), .env (Laravel, Node.js), and database config files should have 600 permissions to prevent unauthorized access.

• Use .htaccess to restrict access to sensitive files:

  Copy

  <Files wp-config.php>
      Order Allow,Deny
      Deny from all
  </Files>

4. Use the Principle of Least Privilege (PoLP)

• Only grant the minimum required permissions to users and processes.

• Avoid giving write permissions to all users.

• Remove unnecessary user accounts with file access.

5. Prevent Execution of Files in Upload Directories

Attackers often exploit upload directories by executing malicious scripts. To block execution:

• Create an .htaccess file in the upload directory with:

  Copy

  <FilesMatch "\.(php|pl|py|cgi|sh)$">
      Order Deny,Allow
      Deny from all
  </FilesMatch>

6. Regularly Audit File Permissions

• Use ls -l (Linux) or icacls (Windows) to check file permissions.

• Regularly scan for files with 777 permissions and correct them.

• Monitor access logs for unauthorized modifications.

7. Use Secure File Ownership Settings

• Assign proper ownership using chown:

  Copy

  chown user:group filename

• Ensure web server files are owned by the correct system user (e.g., www-data for Apache/Nginx).

Automating Secure File Permissions

• Use cron jobs or scheduled scripts to enforce correct file permissions:

  Copy

  find /var/www/html -type d -exec chmod 755 {} \;
  find /var/www/html -type f -exec chmod 644 {} \;

• Configure server security tools (e.g., Fail2Ban, ModSecurity) to monitor file changes.

Summary of Secure File and Directory Permissions

Applying proper file and directory permissions is essential for website security, data protection, and performance optimization. Regular audits, automation, and following security best practices help prevent unauthorized access and cyber threats.