Setting Unix Permissions

When you first activate Web publishing, your Web directory is created with special Unix permissions assigned to it which make it accessible only to you and the Web server. This prevents others from snooping. To ensure that this service works correctly, UW Information Technology recommends that you try to maintain the original permissions of your Web directory; the instructions below are intended to help when it is absolutely necessary to set the Unix permissions for Web pages.

What Causes "Permission Denied"

When the Web server is unable to read files in your Web directory it will respond with an error message.

Permission Denied
You are not authorized to access that resource. If you think you should have access, please contact the owner.

This message often indicates a problem with permissions that you can fix by restoring the original permissions of your Web directory and its contents (see steps below).

Restoring the Special Web Directory Property

In order for the Web server to serve your pages properly, your Web directories need to have a special property set (see the bottom of this page for technical information). In the course of publishing to your website, some of your directories may fail to inherit this property. Follow these steps to restore this to your Web directory and its contents.

  1. Log into your web development server using a terminal emulator. If you're not sure how to do this, click here for instructions.

  2. At the prompt, enter the following command to apply the correct base permissions to your Web directory:

    chmod 750 public_html

  3. At the prompt, now enter the following command to run a special command provided by UW Information Technology for fixing permissions. Don't forget the trailing slash!

    www-fixdir -r public_html/

You may see some printed output. At this point, the special property has been restored to all of your Web directories.

Note: the www-fixdir tool does not change the standard UNIX permissions that you may be familiar with; it only restores the special property necessary for the Web server to serve your pages properly.

Resetting Default File and Directory Permissions

In theory, as long as your Web directory has the right permissions, new files and subdirectories should inherit the right permissions, too. In practice, however, permissions sometimes need adjustment. Use these instructions to restore the correct permissions to files and directories in your Web directory.

  1. Log into your web development server using a terminal emulator. If you're not sure how to do this, click here for instructions.

  2. At the prompt, enter the following command to move into your Web directory:

    cd public_html

    If you want to change permissions of a file or directory located within a subdirectory, change directories again as needed.

  3. Use the chmod command to apply new permissions to your file or subdirectory.
    • HTML files, images, and other "content" files need only to be world-readable. To reset the default permissions of a file, enter the following command at the shell prompt:

      chmod 644 <filename>

      Substitute your filename accordingly.

    • CGI programs need to be executable by you. Use the following command to set the default permissions for these files:

      chmod 744 <filename>.cgi

      Again, substitute your filename accordingly.

      Note: files that are read or written by CGI programs should not be group writable. This poses a security risk and will cause the Web server to respond with a server error ('Premature end of script headers').

    • Subdirectories need to be readable and executable by the Web server. To reset the default permissions of a subdirectory, enter the following:

      chmod 750 <dirname>
      www-fixdir -r <dirname>/

      Substitute your directory name accordingly.

    To learn more about the chmod command, refer to How to Set File Permissions Using chmod

Technical Details

Here are some technical details about the Unix permissions assigned to Web directories.

  • Each Web directory is owned by the user who activated it and is assigned to the special "www" group. The Web server runs in the "www" group, so this setting is important in determining if the Web server can read files it has been requested to serve.

  • Each Web directory has the set group ID (setgid) bit turned on in order to propagate the "www" group setting to new files and subdirectories.

  • Each Web directory, when the correct permissions are set, has the permissions that list as drwxr-s---. The lowercase "s" represents the setgid bit, overlaid on top of group execute permission.

  • The www-fixdir command provides a method, normally unavailable, to assign the "www" group and turn on the setgid bit.

     

Last modified: June 21, 2013