The UNIX security model allows you to set different levels of access to a file for different groups of people. This allows you to let the web server modify a file via a CGI script, for instance, while preventing other users from having normal access to the file. There are three groups in terms of file access, and three different permission types they can receive.

The groups are:

• User/Owner - the "user" group consists only of the owner of the file (your account, in most cases)
• Group - the "group" group consists of the other users on the server -- you can usually remove their permissions entirely if you think it necessary
• Other/World - the "other" group consists of everyone else -- most imporantly, the web server falls into the "other" category

The potential permissions are:

• Read - the read permission allows a user or program the ability to read the data in a file
• Write - the write permission allows a user or program the ability to write new data into a file, and to remove data from it
• Execute - the execute permission allows a user or program the ability to execute a file, if it is a program or script.

To keep things simple, let's make the following assumptions:

• pages should be readable/writable by the owner and readable by the web visitor.
• scripts should be readable/writable/executable by the owner and readable/executable by the web visitor.
• data-config files should be readable/writable by the owner and readable/writable by the web visitor.

And also, lets use the following abbreviations:

• --- (or 0) = no permission
• r-- (or 4) = read-only permission
• rw- (or 6) = read/write permission
• r-x (or 5) = read/execute permission
• rwx (or 7) = read/write/execute permission

Sometimes you'll see these numbers referenced for a script. For instance, "chmod your script to "755" or "777". That means "set file permissions to "Read-Write-Execute/Read-Execute/Read-Execute". "755" is in fact the most common setting for CGI/Perl scripts - if your script does not work or you get an "Internal Server Error" when you run it try this first.

To change file permissions using your FTP software:

1. Download an FTP software like CuteFTP or WS_FTP.

2. Log into your account and go to the directory where the files are located.

3. Highlight the file or directory that you want to change permission.

4. Locate the "file permission" or "chmod" command on your FTP software software (you may need to refer to the manual or help file).

There should be three groups. Each group should have either checkboxes or a selection for the permission type.

1. set pages to rw- for the owner, no permission for the group, and r--for other

2. set scripts to rwx for the owner, no permission for the group, and r-x for other

3. set data/config files to rw- for the owner, no permission for the group, and rw- for other.

To change file permissions using your Control Panel - File Manager:

1. Log into your account Control Panel (mydomain.com/cpanel) and go to the File Manager, and then the "WWW" or "public_html" folder.

2. Identify the file that you want to change permission by clicking on the file/directory link.

After selecting the link the right menu will update itself and show you a list of things you can do to the file/directory. At this point select "Change Permissions. A box like below will load:

There should be three groups. Each group should have checkboxes for the permission types.
Definitions: (User=Owner, Group=Group, World=Other/Public)

1. set plain html pages to rw- for the user, no permission for the group, and r--for world (default)

2. set scripts to rwx for the user, r-x for the group, and r-x for world

3. set data/config files to rw- for the user, no permission for the group, and rw- for world

Select "Change" to finish.

If you are working while connected via telnet or ssh, the chmod command is used to set or change file permissions. chmod has two distinct methods of operation.

In the first, and perhaps easier method, the letters u (for user), g (for group), and o (for other), along with the letters r (for read permission, w (for write permission, and x (for execute permission) are used with + (plus),- (minus), and = (equals) to alter permissions from a file. Some examples:

chmod u=rwx file.html chmod g-rwx secret.txt chmod o+rwx weblog.txt chmod u=rwx,g-rwx,o=r other.html

In the first example, the "user" group (u) is given read (r), write (w), and execute (x) permissions to the file "file.html". In the second, the "group" group (g) has read, write, and execute permissions subtracted for file secret.txt, effectively making it inaccessible to that group. In the third example, the "other" group is given all permissions to the file, allowing that group (which includes the web server) to access and modify it fully. This is most useful when a CGI script needs access to a certain file.

The last example makes use of commas, which allow you to set individual permissions for each user. It is used to give all permissions to your username, take away all permissions for other users on the server, and give read access to the "other" group. This setting overall is useful to prevent casually browsing of a file by other users on the server, while allowing yourself full access to it and allowing the web server to process browser requests for it.

In the second method, special numeric codes are used in place of the letters system. Each permission level is assigned a value, as per the following chart:

Permission	Value
execute	1
write	2
read	4
no permissions	0

To determine the value of a set of permissions, their numbers are added. For instance, the numeric code 5 equals execute and read permissions (1 (execute) + 4 (read) = 5). This leaves eight possible combinations for each group, as shown in this table:

Numeric Value	Permissions
0	no permissions
1	execute permission
2	write permission
3	write and execute permissions
4	read permission
5	read and execute permissions
6	read and write permissions
7	read, write, and execute permissions

To use chmod with numerical permissions, a three digit number is formed. The first indicates the permissions that "user" should receive, the second indicates what "group" should receive, and the last indicates what "other" would receive. Some examples:

chmod 700 private.txt chmod 755 normal.txt chmod 707 forwebserver.txt

The first example gives all permissions to user (7), and no permissions to group or other (the zeroes). The second again gives all permissions to user, and gives read and execute permissions (5) to group and other. The last gives all permissions to user and other, but gives no permissions to group.

Common Numeric Codes In various articles and instructions, both here in the Support Forum and elsewhere, may ask you to use chmod to set specific permissions on files. The chart below indicates the meanings of common numeric codes you may see:

Numeric Code	Permissions
700	User: read, write, execute Group: none Other: none
755	User: read, write, execute Group: read, execute Other: read,execute
777	User: read, write, execute Group: read,write,execute Other: read,write,execute
707	User: read, write, execute Group: none Other: read, write, execute

NOTES: Code 707 can usually be substituted for 777, and is a little more secure as it cuts out direct access by other users. "Other" must maintain at least read access to any normal file in your web space, in order for the web server to be able to serve it to your site viewers.

Viewing Current File Permissions

While logged in via telnet or ssh, you can view the current permissions of a file or directory with the "ls -la" command:

bash$ ls -la file.txt -rwxr--rw- 1 username users 368640 Aug 23 13:59 file.txt

The first field has 10 slots. The first will always be a dash (-) in the case of a file and "d" if it is a directory. The next three indicate permissions for "user" using the letters r, w, and x. In this case, user has read, write, and execute permissions. The next three slots indicate the permissions for "group." In this example, group has read permissions, but not write or execute. The last three slots show permissions for "other" -- other has read and write permissions, but not execute.