HowTo: Set Readonly File Permissions On Linux / Unix

by on April 24, 2012 · 4 comments· LAST UPDATED May 14, 2012

in ,

How do I set readonly permission for all files stored in /var/www/html directory?

You can use the chmod command to set read-only permission for all files on Linux / Unix / Apple OS X / BSD operating systems. The syntax is as follows:

 
## use only for files ##
chmod 0444 /var/www/html/*
chmod 0444 /var/www/html/*.php
 

TO set directories in read-only mode, enter:

 
## use only for dirs ##
chmod 0544 /var/www/html/
chmod 0444 /path/to/your/dir/
 

To find all files (including sub-directories in /var/www/html) and set read-only permission, enter:

 
find /var/www/html -type f -iname "*" -print0 | xargs -I {} -0 chmod 0444 {}
 

However, you need to set set read-only and execute permission on /var/www/html and all sub-directories so that web server can enter into your DocumentRoot, enter:

 
find /var/www/html -type d -iname "*" -print0 | xargs -I {} -0 chmod 0544 {}
 

A warning about write permission

Please note that write access on a directory /var/www/html/ allows anyone to remove or add new files. In other words, you may need to set a read-only permission for /var/www/html/ directory itself:

 
chmod 0555 /var/www/html
 

In some cases you can change file owner and group to set tight permissions as per your setup:

 
### Say /var/www/html is owned by normal user, you can set it to root:root or httpd:httpd (recommended) ###
chown -R root:root /var/www/html/
 
## Make sure apache user owns /var/www/html/ ##
chown -R apache:apache /var/www/html/
 

A note about NFS exported directories

You can specify whether the directory should have read-only or read/write permissions using /etc/exports file. This file defines the various shares on the NFS server and their permissions. A few examples:

 
# Read-only access to anyone
/var/www/html *(ro,sync)
 
# Read-write access to a client on 192.168.1.10 (upload.example.com)
/var/www/html 192.168.1.10(rw,sync)
 

A note about read-only Samba (CIFS) share for MS-Windows clients

To share sales as read-only, update smb.conf as follows:

 
[sales]
comment = Sales Data
path = /export/cifs/sales
read only = Yes
guest ok = Yes
 

A note about file systems table

You can use the /etc/fstab file on Unix or Linux to configure to mount certain files in read-only mode. You need to have a dedicated partition. Do not set / or other system partitions in read-only mode. In this example /srv/html is set to read-only mode using /etc/fstab file:

 
/dev/sda6         /srv/html               ext4         ro             1 1
 

You can use the mount command to remount partition in read-only mode (run it as the root user):
# mount -o remount,ro /dev/sda6 /srv/html
OR
# mount -o remount,ro /srv/html
The above command will try to attempt to remount an already-mounted filesystem at /srv/html. This is commonly used to change the mount flags for a filesystem, especially to make a readonly filesystem writeable. It does not change device or mount point. To make file system writable again, enter:
# mount -o remount,rw /dev/sda6 /srv/html
OR
# mount -o remount,rw /srv/html

Linux: chattr Command

You can change file attributes on a Linux file system to read-only using the chattr command:

 
 
chattr +i /path/to/file.php
chattr +i /var/www/html/
 
# find everything in /var/www/html and set to read-only #
find /var/www/html -iname "*" -print0 | xargs -I {} -0 chattr +i {}
 

To remove read-only attribute pass the -i option:
# chattr -i /path/to/file.php
FreeBSD, Mac OS X and other BSD unix user can use the chflags command:

 
## set read-only ##
chflags schg /path/to/file.php
 
# remove read-only ##
chflags noschg /path/to/file.php
 

See also:

Updated for the accuracy!

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 4 comments… read them below or add one }

1 Andrew Mauro April 25, 2012 at 9:19 am

On Linux filesystems you can use also the extented attributes.
Commands: lsattr and chattr with the Read Only option

Reply

2 nixCraft May 14, 2012 at 7:24 am

The faq has been updated with the lsattr and chflags commands.

Appreciate your comment.

Reply

3 HERP May 14, 2012 at 4:01 am

This article is ridiculously wrong. If you do chmod 0555 on a file you make the file executable by all users. The article instructs you to set all of the files in your web root to executable. This is a terrible terrible idea. These files should be set at 0644.

Reply

4 nixCraft May 14, 2012 at 7:17 am

It was a typo on my part. The faq has been updated. You need to set all files in DocumentRoot to read-only mode using 0444 and directories using 0544 mode. 0644 nide will give write access on /var/www/html. Hope this helps.

Appreciate your comment.

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous Faq:

Next Faq: