Views: 19379
Last Modified: 08.07.2020

Access permissions configuration

You (or your hosting service) can configure access permissions on the remote server as desired, but the result must be the only one: scripts should be able to access files for both reading and writing, which means that a primary "user" under which the Apache server runs, must be able to access files with these modes.

At the same time, if a shared hosting is the case, other users must not be able to read or write your files via their scripts. Your "user" should be able to rewrite files via the FTP as well as modify uploaded files from within scripts.

The problem is that each hosting provider has their own security policy and preferences.

Some hosting providers launch the server process under user nobody:group by default. The files that a hosting client stores on a server, should be accessible by the Apache. It means that they has the attribute read for all set, or a user (file owner) and server must belong to the same group. In the latter case, files must be accessible by the group members for reading (FTP servers assign this kind of permission).

This approach hits hard the security because if all users belong to the same group, they can read each other's files. Say, a user opened a page in the browser which runs a CGI script. As the script in fact is executed by the Apache server which runs under nobody, the script will run with permissions assigned to this user.

The Bitrix24 remains fully functional with any access permission that you have specified at the installation time.

To allow the Bitrix24 work correctly with your CHMOD, you have to set the following constants in /bitrix/php_interface/dbconn.php:

define("BX_FILE_PERMISSIONS", 0644); 
define("BX_DIR_PERMISSIONS", 0755);

These are the standard settings of rights used on the majority of hosting types. Should any problems occur, please contact the support service of your hosting.

You can set the access permission level manually by using CHMOD in console.

The following command sets the access permission level for both files and folders:

chmod -R 644 *

You can use the following command to set rights for folders only:

find . -type d -exec chmod 0755 {} ';'

If you need to establish different rights on folders and files, please execute the following script:

<?php 
define("BX_FILE_PERMISSIONS", 0644); 
define("BX_DIR_PERMISSIONS", 0755); 

function chmod_R($path) { 

   $handle = opendir($path); 
   while ( false !== ($file = readdir($handle)) ) { 
     if ( ($file !== ".") && ($file !== "..") ) { 
       if ( is_file($path."/".$file) ) { 
         chmod($path . "/" . $file, BX_FILE_PERMISSIONS); 
       } 
       else { 
         chmod($path . "/" . $file, BX_DIR_PERMISSIONS); 
         chmod_R($path . "/" . $file); 
       } 
     } 
   } 
   closedir($handle); 
} 

$path=dirname(__FILE__); 
umask(0); 
chmod_R($path); 
echo $path; 
?>

Some FTP clients allows to recursively set rights for files and folders. For example: FlashFXP version 3.xx.

Please pay attention to check the appropriate boxes:

Separately set File and Folder attributes; 
Apply changes to all subfolders and files

Each instance has its own level:

 
Folder permissions   File permissions

Important: The Site Explorer allows to view the system-level attributes of files and folders.

When viewing the file structure in the Site Explorer, the level of access rights to files and folders for each user group may be seen in the Access permissions column using the Extended button.



Courses developed by Bitrix24