CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Linux File Permissions

Linux CWE-732 OWASP A5:2021 CVSS 7.5 Beginner
debt(d5/e1/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list semgrep as the tool, and the code_pattern notes `find -perm /o+w` to detect world-writable files. These are specialist tools requiring deliberate setup — a default linter won't catch a chmod 777, and the misconfiguration is silent in production until exploited, but a properly configured semgrep rule or a manual find command will surface it.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1). The quick_fix is explicit: set files to 644 and directories to 755, which is a single chmod command or a one-liner script. Correcting a 777 misuse is a trivial operational change with no code refactoring required.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). Permission choices apply to web and cli contexts but are operational configuration rather than a structural code decision. Once corrected, the rest of the codebase is unaffected. The burden is real — misconfigured permissions require ongoing vigilance at deployment — but it doesn't reshape the codebase or impose a productivity tax across work streams.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field is explicit: chmod 777 appears to 'fix' permission problems and is the instinctive response to access denied errors, but it is a critical security misconfiguration that exposes all files to every process on the server. This contradicts what developers expect — they think they are solving a problem when they are creating a far worse one. It scores t7 rather than t9 because the danger is documented and security-aware developers do know about it, though less experienced developers routinely fall into it.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-10 · reviewed by human

Also Known As

chmod PHP file permissions web server 755 644 PHP linux permission bits

TL;DR

Read, write, and execute permissions assigned to owner, group, and others — the foundation of Linux access control for web application files.

Explanation

Each file has three permission sets: owner (u), group (g), others (o). Each set has read (r=4), write (w=2), execute (x=1). chmod 755 = owner rwx, group r-x, others r-x. Web server files: 644 for files (rw-r--r--), 755 for directories. PHP files should never be world-writable (666 or 777). Config files with secrets should be 600 (owner read/write only). The web server user (www-data) should be in the correct group — not given direct ownership of application files.

Common Misconception

chmod 777 fixes permission problems cleanly. It gives every user on the system full read/write/execute access — a critical security misconfiguration on any shared or multi-tenant server.

Why It Matters

World-writable PHP files (777) allow any process on the server to modify them — if any site on a shared host is compromised, attackers can inject code into your files. 777 permissions are a critical misconfiguration.

Common Mistakes

  • Setting 777 to 'fix' permission errors instead of diagnosing the actual user/group mismatch.
  • Making .env files world-readable — they contain secrets that any process on the server can read.
  • Owning application files as root — the web server cannot write to them and deployment scripts fail.

Avoid When

  • Never use 777 on any production file or directory — it is always a misconfiguration.
  • Do not own application files as root — the web server user cannot write them and deployments will fail.

When To Use

  • Set 644 for all PHP files and 755 for directories as the default — only loosen permissions when specifically required.
  • Set 600 on .env and config files containing secrets — readable only by the file owner.

Code Examples

✗ Vulnerable 
# chmod 777 — world-writable: any process on the server can modify files
chmod -R 777 /var/www/myapp  # critical misconfiguration
✓ Fixed 
# Correct permissions for a PHP web app
find /var/www/myapp -type f -exec chmod 644 {} \;
find /var/www/myapp -type d -exec chmod 755 {} \;
# Writable directories (uploads, cache, logs) — owner only
chmod 700 /var/www/myapp/storage
# Secrets — owner read only
chmod 600 /var/www/myapp/.env
Added 31 Mar 2026
Views 63

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 1 ping T 2 pings F 2 pings S 5 pings S 3 pings M 0 pings T 2 pings W 1 ping T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 14 Perplexity 9 Amazonbot 7 Google 4 Ahrefs 4 Unknown AI 3 ChatGPT 3 Majestic 2 SEMrush 2 Claude 1 Meta AI 1 Bing 1 PetalBot 1
Also referenced
Error Handling in PHP 60
How they use it
crawler 48 crawler_json 3 pre-tracking 1
Related categories
php 13k linux 930
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Set files to 644 and directories to 755 — never use 777 in production
📦 Applies To
web cli
🔍 Detection Hints
chmod 777 or world-writable files detected by find -perm /o+w
Auto-detectable: ✓ Yes semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-732
✓ schema.org compliant