Hello,
This topic is a bit confusing to me. Files and directory permissions touch the system's security as well as its functioning. I am still new to Moodle and I cannot find out about each and every single setting. So I am looking for rather safe general solutions which do not cause sudden malfunctions of the system.
From other postings and Moodle documents I took the following options as possible choices:
/moodledata --- user:group = www-data:www-data (Apache under Debian Linux)
Permissions --- Directories: 700, Files: 600
/moodle --- user:group = root:root
Permissions --- Directories: 750 or 755, Files: 640 or 644
My questions:
Are these settings too tight? Which should I choose? Or should I choose totally different ones instead? If so, which?
How to set recursive permissions using CHMOD if there apply different settings for directories and their files? Is this really necessary?
Thanks for your help,
Peter
How tight you need the permissions depends almost entirely on this being a shared server or not. If it is solely a web server to which only the administrator has access then you can be quit slack with permissions. If it has many users then you probably need to be more restrictive still.
Generally speaking what you are suggesting will do fine. I've never bothered restricting the files more than the directories (tricky to achieve I would think, in any case).
Generally speaking what you are suggesting will do fine. I've never bothered restricting the files more than the directories (tricky to achieve I would think, in any case).
Sorry, I forgot to mention that my machine is an external rootserver, so there is no local access, and root is the only "user" to log in.
PD,
Yes, I think that 750 and 640 for the moodle folder (directory) is too tight, especially if it is going to be owned by root. That 0 means that Apache won't even be able to read anything, so none of the PHP scripts will work. 755 and 644 might be okay, but I'm not 100% sure about the 644.
As for how to set the permissions recursively to be different for files and folders, that's a good question. Offhand I don't know if this is possible with chmod, although you could of course set everything to 644 recursively and then set each folder to 755 individually. One could write a shell script or php script to do that, but if you're not a programmer, why not just use 755 for everything? That's what the FAQ on the 500 error suggests doing under certain circumstances.
Alternatively, you could use ls recursively to create a text file containing all the files and folders in moodle and all its subfolders, pipe it to grep to select only the folders (again, there is probably an option in ls to do that, but I don't know it offhand), then use a text editor search and replace all command to turn each line into a chmod command. The end result of that process could be run as a shell script to change the permissions of all the folders to 644.
RLE
Yes, I think that 750 and 640 for the moodle folder (directory) is too tight, especially if it is going to be owned by root. That 0 means that Apache won't even be able to read anything, so none of the PHP scripts will work. 755 and 644 might be okay, but I'm not 100% sure about the 644.
As for how to set the permissions recursively to be different for files and folders, that's a good question. Offhand I don't know if this is possible with chmod, although you could of course set everything to 644 recursively and then set each folder to 755 individually. One could write a shell script or php script to do that, but if you're not a programmer, why not just use 755 for everything? That's what the FAQ on the 500 error suggests doing under certain circumstances.
Alternatively, you could use ls recursively to create a text file containing all the files and folders in moodle and all its subfolders, pipe it to grep to select only the folders (again, there is probably an option in ls to do that, but I don't know it offhand), then use a text editor search and replace all command to turn each line into a chmod command. The end result of that process could be run as a shell script to change the permissions of all the folders to 644.
RLE
Well spotted Richard.... must be past my bed time 
HM,
Thx.
RLE
Thx.
RLE
PD,
I have now looked up the Unix standard for chmod and ls. It looks like chmod doesn't have any options besides R. The ls command does not have an option to list only folders, but the p option causes a slash to be displayed after each folder name, making it easier to grep them. The m option normally lists names only across each line of output, while the 1 option forces the output to one entry per line. There is no indication that the two options are incompatible (m and l are), so presumably if you use both you get names only but one per line. So the options I would use are R, 1, m, and p:
ls -R1 -mp | grep -F '/' > shellscriptfile
RLE
I have now looked up the Unix standard for chmod and ls. It looks like chmod doesn't have any options besides R. The ls command does not have an option to list only folders, but the p option causes a slash to be displayed after each folder name, making it easier to grep them. The m option normally lists names only across each line of output, while the 1 option forces the output to one entry per line. There is no indication that the two options are incompatible (m and l are), so presumably if you use both you get names only but one per line. So the options I would use are R, 1, m, and p:
ls -R1 -mp | grep -F '/' > shellscriptfile
RLE
Richard,
Maybe someone else will profit form your sophisticated solution for selective changes of permissions. I guess before I am done with it I could have retyped all directory permissions as well...
Thank you very much, anyway!
But still I am not sure what to do now. Simply assigning 755 to all directories and files in /moodle and /moodledata?
Peter
Maybe someone else will profit form your sophisticated solution for selective changes of permissions. I guess before I am done with it I could have retyped all directory permissions as well...
Thank you very much, anyway!But still I am not sure what to do now. Simply assigning 755 to all directories and files in /moodle and /moodledata?
Peter
Yes 
(I hope)
It only gets *really* interesting if you are on some sort of shared site. 755 is fine.
It only gets *really* interesting if you are on some sort of shared site. 755 is fine.
If you are on Unix/Linux (and you probably are if you are talking about chmod and octal permissions 
), then 'find' is what you are looking for:
That will take care of it. If you are one of those one-liner geeks, you can even pack it in one command (but I think the commands above are far easier to read/type and understand):
Saludos. Iñaki.
find /path/to/moodle/ -type d -exec chmod 755 {} ";"
find /path/to/moodle/ -type f -exec chmod 644 {} ";"
That will take care of it. If you are one of those one-liner geeks, you can even pack it in one command (but I think the commands above are far easier to read/type and understand):
find /path/to/moodle/ \\( -type d -exec chmod 755 {} ";" \\) -o \\( -type f -exec chmod 644 {} ";" \\)
Saludos. Iñaki.
IA,
Yes, that's the kind of thing I had in mind when I said you could write a shell script to do it automatically. I had a hunch there was a command that would select regular files or directories with an option (must be a dim, distant memory) but I didn't know (or remember) offhand what command did that.
RLE
Yes, that's the kind of thing I had in mind when I said you could write a shell script to do it automatically. I had a hunch there was a command that would select regular files or directories with an option (must be a dim, distant memory) but I didn't know (or remember) offhand what command did that.
RLE
Filezilla has an option to recursively change permissions for those of us who prefer a GUI!
Ken
Ken
/moodle --- user:group = root:root Permissions --- Directories: 750 or 755, Files: 640 or 644
This looks like copy&pasted from http://docs.moodle.org/en/Security#Most_secure.2Fparanoid_file_permissions, except that the group for the directories/files specified there is 'the apache group'. That way, if you use 750 or 640 as the permissions, then the web server will still have access to the files.
Anyway, as Howard says, if there are no local users on the machine, 755 for directories and 644 for files is more than enough.
Saludos. Iñaki.
To all of you experts,
thank you very much!
Peter
thank you very much!
Peter