# Secure File and Directory Permissions

#### Importance of Secure File and Directory Permissions

File and directory permissions determine who can read, write, and execute files on a server. Improper configurations can expose sensitive data, allow unauthorized modifications, or provide an entry point for attackers. Ensuring proper permissions enhances security, protects user data, and reduces the risk of cyber threats.

#### Understanding File and Directory Permissions

**1. Permission Types**

File and directory permissions are usually categorized into three types:

* **Read (r)** – Allows viewing or reading the file contents.
* **Write (w)** – Grants permission to modify or delete a file.
* **Execute (x)** – Enables execution of a file (e.g., scripts, applications).

**2. User Categories**

Permissions are assigned to three categories of users:

* **Owner** – The user who created the file or directory.
* **Group** – A collection of users who share access to the file.
* **Others (Public)** – Any user with access to the system.

**3. Numeric Representation (chmod values)**

Permissions can be represented using numbers:

* **4** – Read
* **2** – Write
* **1** – Execute

Summing these values determines the permission level:

* **644** – Read & write for owner, read-only for others.
* **755** – Full control for owner, read & execute for others.
* **600** – Full access for owner, no access for others.

#### Best Practices for Secure File and Directory Permissions

**1. Secure File Permissions**

* Set **644** for most files (**read & write for owner, read-only for others**).
* Set **600** for sensitive configuration files (**owner-only access**).
* Avoid setting **777** (full access to everyone) as it allows unauthorized modifications.

**2. Secure Directory Permissions**

* Set **755** for public directories (**owner can modify, others can read & execute**).
* Set **700** for private directories (**only the owner can access**).
* Restrict access to system directories with **750** or **700** to prevent unauthorized execution.

**3. Restrict Access to Configuration Files**

* **wp-config.php (WordPress)**, **.env (Laravel, Node.js), and database config files** should have **600** permissions to prevent unauthorized access.
* Use **.htaccess** to restrict access to sensitive files:

  ```apache
  <Files wp-config.php>
      Order Allow,Deny
      Deny from all
  </Files>
  ```

**4. Use the Principle of Least Privilege (PoLP)**

* Only grant the minimum required permissions to users and processes.
* Avoid giving **write permissions to all users**.
* Remove unnecessary user accounts with file access.

**5. Prevent Execution of Files in Upload Directories**

Attackers often exploit upload directories by executing malicious scripts. To block execution:

* Create an **.htaccess** file in the upload directory with:

  ```apache
  <FilesMatch "\.(php|pl|py|cgi|sh)$">
      Order Deny,Allow
      Deny from all
  </FilesMatch>
  ```

**6. Regularly Audit File Permissions**

* Use **ls -l (Linux)** or **icacls (Windows)** to check file permissions.
* Regularly scan for files with **777 permissions** and correct them.
* Monitor access logs for unauthorized modifications.

**7. Use Secure File Ownership Settings**

* Assign proper ownership using **chown**:

  ```bash
  chown user:group filename
  ```
* Ensure **web server files are owned by the correct system user** (e.g., **www-data for Apache/Nginx**).

#### Automating Secure File Permissions

* Use cron jobs or scheduled scripts to **enforce correct file permissions**:

  ```bash
  find /var/www/html -type d -exec chmod 755 {} \;
  find /var/www/html -type f -exec chmod 644 {} \;
  ```
* Configure **server security tools (e.g., Fail2Ban, ModSecurity)** to monitor file changes.

#### Summary of Secure File and Directory Permissions

| File Type           | Recommended Permission |
| ------------------- | ---------------------- |
| Public HTML Files   | 644                    |
| Configuration Files | 600                    |
| Executable Scripts  | 755                    |
| Upload Directories  | 755 (block execution)  |
| Private Directories | 700                    |

Applying proper file and directory permissions is essential for **website security, data protection, and performance optimization**. Regular audits, automation, and following security best practices help prevent unauthorized access and cyber threats.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://learn.sitecove.com/how-to-guides/website-security-and-maintenance/securing-your-website/advanced-security-measures/secure-file-and-directory-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.