Secure file permissions

Using Secure File Permissions

You need to keep the files in your account secure so unauthorised people can't read, edit, delete or run them.

You do this by managing Unix file permissions attached to them.

Most importantly: never make anything world-writable, as that's a huge security risk.

Any world-writable files will have that permission removed automatically overnight.

What permissions should I set?

This depends on whether you need to give other people access to your files, or put anything in your public_html directory.

Completely private, no public_html

This is the simplest case:

Your home directory
700 or rwx------
All other directories
700 or rwx------
Scripts and programs
700 or rwx------
All other files
600 or rw-------

Completely private, but with files in public_html

Your home directory and public_html directories need to be world-executable, and the files in public_html need to be world-readable.

This is because the webserver runs as a different user, and needs to be able to traverse into public_html and read the files there.

Set permissions as above, except:

Your home directory
701 or rwx-----x
701 or rwx-----x
Directories in public_html
701 or rwx-----x
Files in public_html
604 or rw----r--

Shared directories

To share files with other members of a group you're in, your home directory needs to be group-executable, so group members can traverse into the shared directory.

It's really important that you don't make your whole home directory readable or writable by others - it's a huge security risk, and can lock you out of your account.

Your home directory
710 or rwx--x--- (or 711 / rwx--x--x if you're using public_html)

You will need to chgrp shared files and directories to the group, then make them group-readable / writable / executable as appropriate:

Read only

Shared directories
750 or rwxr-x---
Shared scripts and programs
750 or rwxr-x---
All other shared files
640 or rw-r-----


Shared directories
770 or rwxrwx---
Shared scripts and programs
750 or rwxrwx---
All other shared files
660 or rw-rw----

Utility and course accounts

For these accounts, it's reasonable to set group-read on the account home directory, so that group members can browse the contents:

Account home directory
750 or rwxr-x--- (or 751 / rwx--x--x if you're using public_html)

Once again, however, don't make the home directory group-writable.

For files and directories within the account home directory, set permissions as for shared files in the section above.

You may want to set the setgid bit on those directories (2771 / g+s) so that files created there are group-owned automatically.

Last edited by jbc 23/04/2020

Tags for this page:

file, permissions, security