Set file and directory permissions to improve website security-Cloud Web Hosting(CWH)-阿里云帮助中心

By following the principle of least privilege and setting specific permissions for your website files and directories, you can reduce the risk of unauthorized modifications or malware injection and enhance your website's security. This topic describes how to set file and directory permissions.

Use cases

You can set permissions based on the purpose of your website's files and directories. Refer to the following scenarios for guidance:

Scenario	Recommended permission
Your website's dynamic files, such as ASP or PHP files, do not need to be modified during runtime. For example, a news website's PHP pages are primarily for display and do not require frequent content updates.	We recommend that you set the file permissions to Readable and Executable (Write-protected) to reduce the risk of the file being tampered with.
A directory in your web application is used for file uploads. For example, a blog or forum website lets users upload avatars, files, or other data.	We recommend that you set the directory permission to Readable and Writable (Script Execution Disabled) to reduce the risk of Trojans, viruses, or malicious files being executed after they are uploaded.
Your website encounters an error after you set permissions for specific files or directories. For example, after setting permissions, your website displays a `403 Forbidden` or `Unauthorized` error upon login.	We recommend that you restore the Default Permissions (Readable, Writable, and Executable) for the corresponding file or directory to restore normal access to your website.

Limitations

When you set the Readable and Executable (Write-protected) permission for a file or directory, the following restrictions apply to Web Hosting on different operating systems:

For a Linux-based Web Hosting instance: You can use an FTP client to delete files, but not to upload them. You also cannot modify files programmatically.

Note
On a Linux-based Web Hosting instance, these permission settings do not affect file management operations in the File Manager. You can still upload, delete, and edit files. For more information, see Manage files by using File Manager.
For a Windows-based Web Hosting instance: You can use an FTP client to delete or upload files, but you cannot modify files programmatically.

Procedure

On a Linux-based Web Hosting instance, you can prohibit script execution for a maximum of 20 files and directories.

Log on to the Cloud Web Hosting management page.
Find the Cloud Web Hosting instance you want to manage and click Manage in the Actions column.
In the navigation pane on the left, choose File Management > File Manager.
On the File Manager page, click Site Root Directory.
Set permissions for a file or directory.
- For a single file or directory
  1. Find the file or directory for which you want to set permissions, and click Permission in the Actions column.
  2. In the pop-up Permission Settings dialog box, select the appropriate file or directory permissions, and click Confirm.
    
    Note
    When setting directory permissions, the changes may take up to 2 minutes to apply.
- For multiple files or directories
  1. Select the checkboxes for the files or directories whose permissions you want to set, and then click Batch Set Permissions. Select the required files or directories, and click the Batch Set Permissions button at the bottom.
  2. In the Permission Settings dialog box, select the appropriate file or directory permissions, and click Confirm.
    
    Note
    When setting directory permissions, the changes may take up to 2 minutes to apply.

Results

In the upper-left corner of the File Manager page, click View Set Permissions, and you can view the files or directories for which permissions have been set.

Note
This feature is not available for Windows-based Web Hosting instances and some non-enhanced Linux-based Web Hosting instances.

A pop-up window titled Files and Directories with Script Execution Prohibited (Limit: 20) appears. Each record in the list includes a serial number, a path (such as /index.php, /license.txt, or /readme.html), and a Delete action link to remove the configured path. Click OK at the bottom to save your changes.
On the File Manager page, under the website root directory, click Permission in the Actions column for the file or directory whose permissions you have set. You can then view the current permissions of that file or directory. In the Permission Settings dialog box, the File and Directory Path column displays the path of the directory, and the Current Permission column shows the directory permission as Readable and Executable (Write-protected). If you need to make changes, in the Set Permissions area, select the desired permission (Readable and Executable (Write-protected), Readable and Writable (Script Execution Disabled), or Default Permissions (Readable, Writable, and Executable)), select the If it is a directory, apply to all subdirectories and files checkbox, and then click Confirm.