Contact
Site: US UK AU |

How to configure ExpressionEngine permissions and ownership

How to configure ExpressionEngine permissions and ownership

Overview
This article explains how to configure the correct permissions and ownership for files and directories within an ExpressionEngine installation.

Hosting environments

One of the first items to consider, before setting permissions and ownership, is the hosting environment for your site. If you are executing Linux, there are two main environments:

  1. PHP scripts that run via mod_php or equivalent and all scripts are executed as the webserver user.

    This means that when your script is running it can read, and sometimes write with the same privilege level as the webserver. This could allow cross-account snooping in shared hosting configurations and is not ideal in a shared environment.

  2. PHP scripts that execute as the user who owns the files themselves via an intermediate construct such as suPHP, PHP suEXEC, PHP-FPM and so forth.

    In this case your scripts execute as you and this is a more secure overall configuration when executing on a shared server. At Nexcess, this is the more commonly used environment.

    • The second method is preferred given the extra level of security provided by Linux, if the permissions are configured correctly. All of Nexcess shared ExpressionEngine plans (EEP) provide this type of environment. It is also preferred because it provides user-based permissions isolation so stricter ownership and file permissions can be used.

Attention: In order to issue the following changes, you will need to have SSH access. If you do not have SSH access, see How to enable SSH access, or contact our Nexcess Support Team.

    • If you have access to change the ownership of files and directories, this normally means you have root access. So you can set the user and group ownership of all the files in the ExpressionEngine directory to your local user. This may already exist in your environment and is simply a precaution for good measure.

find </path/to/expressionengine> \-execchownyouruser.youruser {} \; 

    • To change the Linux file permissions for all directories in your ExpressionEngine webroot to listable, file editable and navigable for the owning user, and only navigable for everyone else, execute the following command:

find</path/to/expressionengine> –type d -execchmod 711 {} \; 

    • You can also change the Linux permissions for all files in your ExpressionEngine webroot to readable and writable by your user and only readable only by everyone else. This will produce a baseline where the webserver itself can read all files. It will need read access in order to serve static content like images, CSS and Javascript files.

find</path/to/expressionengine> -typef \-execchmod644 {} \; 

    • To boost the security of your PHP files, the permissions of these files can be modified to restrict their access. This will restrict others from reading your PHP files that may contain sensitive information. You will want to issue this command after executing the previous command changing the file to 644.

find</path/to/expressionengine> -typef \-name “*.php” -execchmod600 {} \; 

    • Some FTP programs may not read and interpret files very well, if configured to the permissions of 600. If you run into this issue, set the permissions to 644. At a minimum you should set the permissions of your ExpressionEngine installation files config.php and database.php to 600. The config.php in the ExpressionEngine system configuration directory contains the license information for your installation and the database.php located in the same directory, contains the database access information. Creating strict permissions for these two files is essential to the security of your site.

find </path/to/expressionengine/system/expressionengine/config> \( -name "config.php" -o -name "database.php" \) -exec chmod 600 {} \;

 

For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
 
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to secure your ExpressionEngine website
Added on Tue, Dec 9, 2014
How to use SiteWorx to install ExpressionEngine
Added on Tue, Feb 18, 2014
How to purchase Nexcess shared hosting plans
Added on Mon, Jan 4, 2016
What is ExpressionEngine?
Added on Wed, Sep 11, 2013
How to install the Nexcess CDN with ExpressionEngine
Added on Tue, Sep 10, 2013