How do I set readonly permission for all files stored in /var/www/html directory?
You can use the chmod command to set read-only permission for all files on Linux / Unix / Apple OS X / BSD operating systems. The syntax is as follows:
## use only for files ## chmod 0444 /var/www/html/* chmod 0444 /var/www/html/*.php
TO set directories in read-only mode, enter:
## use only for dirs ## chmod 0544 /var/www/html/ chmod 0444 /path/to/your/dir/
To find all files (including sub-directories in /var/www/html) and set read-only permission, enter:
find /var/www/html -type f -iname "*" -print0 | xargs -I {} -0 chmod 0444 {}
However, you need to set set read-only and execute permission on /var/www/html and all sub-directories so that web server can enter into your DocumentRoot, enter:
find /var/www/html -type d -iname "*" -print0 | xargs -I {} -0 chmod 0544 {}
A warning about write permission
Please note that write access on a directory /var/www/html/ allows anyone to remove or add new files. In other words, you may need to set a read-only permission for /var/www/html/ directory itself:
chmod 0555 /var/www/html
In some cases you can change file owner and group to set tight permissions as per your setup:
### Say /var/www/html is owned by normal user, you can set it to root:root or httpd:httpd (recommended) ### chown -R root:root /var/www/html/ ## Make sure apache user owns /var/www/html/ ## chown -R apache:apache /var/www/html/
A note about NFS exported directories
You can specify whether the directory should have read-only or read/write permissions using /etc/exports file. This file defines the various shares on the NFS server and their permissions. A few examples:
# Read-only access to anyone /var/www/html *(ro,sync) # Read-write access to a client on 192.168.1.10 (upload.example.com) /var/www/html 192.168.1.10(rw,sync)
A note about read-only Samba (CIFS) share for MS-Windows clients
To share sales as read-only, update smb.conf as follows:
[sales] comment = Sales Data path = /export/cifs/sales read only = Yes guest ok = Yes
A note about file systems table
You can use the /etc/fstab file on Unix or Linux to configure to mount certain files in read-only mode. You need to have a dedicated partition. Do not set / or other system partitions in read-only mode. In this example /srv/html is set to read-only mode using /etc/fstab file:
/dev/sda6 /srv/html ext4 ro 1 1
You can use the mount command to remount partition in read-only mode (run it as the root user):
# mount -o remount,ro /dev/sda6 /srv/html
OR
# mount -o remount,ro /srv/html
The above command will try to attempt to remount an already-mounted filesystem at /srv/html. This is commonly used to change the mount flags for a filesystem, especially to make a readonly filesystem writeable. It does not change device or mount point. To make file system writable again, enter:
# mount -o remount,rw /dev/sda6 /srv/html
OR
# mount -o remount,rw /srv/html
Linux: chattr Command
You can change file attributes on a Linux file system to read-only using the chattr command:
chattr +i /path/to/file.php chattr +i /var/www/html/ # find everything in /var/www/html and set to read-only # find /var/www/html -iname "*" -print0 | xargs -I {} -0 chattr +i {}
To remove read-only attribute pass the -i option:
# chattr -i /path/to/file.php
FreeBSD, Mac OS X and other BSD unix user can use the chflags command:
## set read-only ## chflags schg /path/to/file.php # remove read-only ## chflags noschg /path/to/file.php
See also:
- How Linux file permissions work
- Debian / CentOS / RHEL set NFS v4 server
- man pages - mount, chmod, chown and find commands.
Updated for the accuracy!
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
![Unix Copy Command Examples [ cp command ]](http://s13.cyberciti.org/images/shared/rp/3/9.jpg)
{ 4 comments… read them below or add one }
On Linux filesystems you can use also the extented attributes.
Commands: lsattr and chattr with the Read Only option
The faq has been updated with the lsattr and chflags commands.
Appreciate your comment.
This article is ridiculously wrong. If you do chmod 0555 on a file you make the file executable by all users. The article instructs you to set all of the files in your web root to executable. This is a terrible terrible idea. These files should be set at 0644.
It was a typo on my part. The faq has been updated. You need to set all files in DocumentRoot to read-only mode using 0444 and directories using 0544 mode. 0644 nide will give write access on /var/www/html. Hope this helps.
Appreciate your comment.