HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

ocPortal Tutorial: Linux file permissions

Written by Chris Graham, ocProducts
Most ocPortal sites are hosted on Linux web servers. Linux uses the traditional file permission scheme from Unix, which is actually a very simple scheme in terms of what can be done, but technically complex to understand. ocPortal requires special file permissions for any uploaded file or directory that it needs to write to.

This tutorial is intended to cover the theory behind the permissions ocPortal needs on most web hosts, and give practical explanations on how to work with them. It is not intended as a discussion on the relative merits of different server configurations, which is covered in the 'Security' tutorial.

How Linux file permissions work

Each file and directory on Linux has three numbers associated with it:
  • the number of the user that 'owns' it
  • the number of the group that 'group owns' it
  • the number that stores the file permissions

The file permission number (basically) is a number consisting of 3 parts (not 3 digits but 3 octets, as they can only be 0-7, not 0-9). From left-to-right, the numbers signify:
  • permissions that the 'owner' user has for it
  • permissions that the 'group owner' group has for it
  • permissions that anyone ('everyone') on the system has, irrespective of what groups they are in or what user they are

Each of these parts has a number range from 0-7, that is made up by a process of addition:
  • start with the number zero
  • if execute permission is needed, add 1
  • if write permission is needed, add 2
  • if read permission is needed, add 4

Execute permission is never needed in ocPortal for files as even the PHP files that are executed aren't done so directory (except on some unusual server configurations). However, execute permission for a directory actually signifies permission to list the contents of the directory, so this should always be present, and in ocPortal, is present for 'everyone'.

Permissions can actually be written out in a more human readable form in the following format as 'rwx rwx rwx' where any of those symbols are replaced with a dash if a permission is not given, and each triplet of symbols represents one of the numeric parts.

Common file permissions are:
  • 777 (rwx rwx rwx) – directories that everyone can write to
  • 755 (rwx r-x r-x) – directories that everyone can read but only the owner can write files into
  • 666 (rw- rw- rw-) – files that everyone can write to
  • 644 (rw- r-- r--) – files that everyone can read but only the owner can write to

The process of setting file permissions is often referred to as 'chmodding', as the Linux command to change file permissions is 'chmod'.

PHP Web applications

Thumbnail: A typical error that is due to bad file permissions (on the 'FR' directory in this case)

A typical error that is due to bad file permissions (on the 'FR' directory in this case)

Most web servers run PHP scripts with the credentials of a user named 'nobody'. Therefore the user 'nobody' needs to be able to do everything ocPortal needs to do. Unfortunately the main problem with permissions that make them so tricky with PHP web applications is that the user used to upload files is not 'nobody', and 'nobody' is not in the same primary group as the FTP user either. There is usually no convenient way to change ownership of a file so as to assign them to 'nobody', and if it was done, it would be a security problem anyway (as the entire installation directory would be writeable to by any PHP script on the server). Therefore, if ocPortal is to write to any uploaded file, it must be possible for any user to do so – and hence permissions must be set as such.

Consider these situations:
  • ocPortal needs to run – it therefore needs to be able to list the contents of all its directories and read all its files – this means there must be 'world read permission' (permission for anyone to read the file/directory) for all files and directories, and 'world execute permission' for all directories – this is almost always provided by default fortunately, so does not need to be set
  • ocPortal needs to add a file to collaboration/pages/comcode_custom/FR – to make a file into a directory, there must be write permission for that directory – therefore either the directory must have been made by ocPortal automatically, or the directory needs 'world write permission' (permission for anyone to write to the directory)
  • ocPortal needs to add a file to collaboration/pages/comcode_custom/EN – as above, however the ocPortal quick installer would have given this directory the necessary permissions during installation
  • ocPortal needs to modify a file themes/mytheme/templates_custom/GLOBAL_HTML_WRAP.tpl – usually this would not be a problem, as it would have been created by PHP when the GLOBAL_HTML_WRAP.tpl was overridden from that of the default theme, and hence owned by 'nobody' – however, if the theme was uploaded manually then the file would need to be given 'world write' permission
  • ocPortal needs to delete themes/mytheme/templates_cached/EN/GLOBAL_HTML_WRAP.tcp (this happens a lot when editing things and ocPortal tries to clear caches) – as above, normally there would be no problem, but if a webmaster uploads new templates it is often useful for them to delete the .tcp files themselves manually and allow ocPortal to regenerate them

Thumbnail: Changing permissions of a directory using FTP

Changing permissions of a directory using FTP

The gist of these situations is quite simple:
If ocPortal made something itself, it can write to/into it, without problem, but it also needs to be writeable by the webmaster via FTP so is given 'world write' permissions. If a file was uploaded and ocPortal needs to write to/into it, and the quick installer couldn't set permissions for it (usually because it was added after installation), then 'world write' permissions need setting manually.

A typical file permission issue is shown in the screen-shot.
File permissions that ocPortal requires are listed in the install guide.

How to set Linux file permissions using FTP

Thumbnail: Changing permissions of a file using FTP

Changing permissions of a file using FTP

There is a extension to the FTP protocol that allows setting of file permissions. The extension is so wide-spread that most people do not know that it actually is one. Most FTP tools have file permission support, and SmartFTP has particularly user friendly support, where file permissions can be changed with tick-boxes.

The screen-shots show how to set file permissions for:
  • a file that needs to be world writeable
  • a directory that needs to be world writeable


The process of changing permissions for a file/directory

See also