Fun with UNIX

UNIX on the Server: PHP is designed to run on UNIX/Linux, Windows and other operating systems. UNIX/Linux is by far the most common configuration and the one we'll use for this class.

Command Line Access: To be able to work with UNIX and later with MySQL we'll need to login and access Zephir via a command line, where we can type in UNIX commands.

Secure Shell (SSH): To do this, we'll need a 'terminal' program that can login and open a command line prompt. For Zephir, we'll need a secure terminal program, one that uses a Secure Shell (SSH) which means the text we type will not be passed in clear text, which is the default. Such a program in Windows is called puTTY.

On a Mac, I understand there is no need as there is a built in Secure Shell (SSH) in OSX: SSH on a Mac

Once you have downloaded puTTY, be sure to set the protocol to SSH. For a host name, we will type in:

You would use your UNIX user name (in our case, the same as the login we are using for FTP access to Zephir, what I call horsey01) and press enter

You will then be prompted for your password. This will be the last 6 digits of your SID.

Once logged in you can run UNIX commands, set file permissions and work with MySQL.

File & Directory Permissions: Since a web server is accessed by the public, it is especially at risk to hacking. To prevent this, files and directory access is "locked down" as much as possible, while still giving proper access to the programs and users that need it. Having the capability to view or change a file depends on the file permission for both the file and the directory. Sometimes the words 'access' is used as a close synonym for 'file permission'.

Read: To be able to "see" a web page, all a user needs is "read" access. The user is reading the file (retrieving the HTML document) but not changing what is there. A web server can still serve up files and read from a database with no problem as long as read capability exists for the file and the directory.

Write: To be able to change any information however, we need to have "write" capability. To be able to change data in a database or write to a text file, both the file, and directory containing the file need to be configured to have "write" capability.

The number of files set to have "write" capability should be limited, however, since this is dangerous. Only a minimum number of directories should be configured this way, and only the files necessary to be able to read & write should be included inside them.

Execute: For a program to run from the server, a file or directory may need to be set to have "execute" capability. UNIX is aware of running programs, and will disallow access to a program if the execute permissions do not allow access.

Read/Write Execute (RWX): The 3 permissions described above make up rwx, read-write-execute, which apply to directories and files, all of which must be set properly for our PHP web applications.

UNIX Permission Values: Permissions in UNIX have been given octal equivalents to facilitate reading and changing them. Permissions on files and directories can be thought of as additive, meaning more than one can apply at a time. Each type of permission has a special "value". When the numbers are added, the type of permissions on a file or folder can be quickly deduced. the values are as follows:

If a file or directory has read and write permissions applied, the file has a permission of 6. To apply full read/write/execute to a file or directory changes the file permission to 7. Therefore, for full RWX access to a file or folder, we would set it to 0777, which is 'world writable' and the riskiest possible setting. The one time we may need to set this permission is when we want to upload images, for example, to a folder. On some servers the folder must be world writeable, (0777) in order to upload files. However this is no longer acceptable. If you find you can't upload files to a folder with a lesser permission (for example 0755) email the admin of the hosting company for advice on how to upload files to a directory.

World writable on Zephir: If you create a web file and give it the permission 0777 and upload it on Zephir, you'll get a nasty message from UNIX saying your script it 'world writable'. This means the file is available to edited or deleted by others. Here's a nice description of UNIX permissions with advice on what permissions to set that refers to the danger of world writable: Changing File Permissions on WordPress

Changing Permissions: I recommend setting file permissions via an FTP program like WinSCP. With such a program you can right click on the file or folder and select Properties and change file or folder permissions. In FileZilla currrently you can right click and select File Permissions.

To make a global change of all files in a folder, you may want to check the box set permissions recursively, which means that every file and folder inside that folder will inherit the same set of permissions. Don't do this without thought as there is no undo!

Images may need Execute Permission: Some files require permission sets you would not expect. Some servers have different requirements and even have default permissions for files uploaded (with no permission set) into particular folders by default. If we ever find an image does not show up, view the output (HTML source) to see if there is a UNIX warning that we may not have permission to view the image file!

When we see the permission 0777 we may wonder why the first zero. To say it's a placeholder is often correct but not the full story. To get the full 'sticky' details read the following:

UNIX/LINUX Users: In UNIX, there are three levels of users. The person who created or "owns" the file or directory, the "group" they are a part of (if applicable) and "everyone" else.

These 3 designations, "owner", "group" and "everyone" are indicated on every directory and file in the UNIX system. When you look at the file (or directory) from the command line (using the "list" command, "ls") each file or directory has 3 characters indicating the read, write and executable capability of each of these 3 groups. Here is a sample designation of a directory:

In the above listing, the first character "d" means this is a directory. If something is not applicable, you instead see a dash (-).

The first 3 characters following ("rwx" in this case) indicate the permissions of the owner of the file. The owner has read, write and execute permission on this directory

The next 3 characters ("r-x" in this case) indicate the permissions of the group to which the owner of the file belongs. In this case, the group has "read" and "execute" permission to the file.

The last 3 characters ("r--" in this case) indicate the permissions of everyone else regarding this directory. In this case, everyone else only has "read" permission to this directory.

CHMOD Command: The UNIX command to change permissions manually is chmod (change mode)

The first 7 shows the owner has RWX, the second shows the group, and third number indicates Everyone else. Always start the number with a zero

To show a list of the files/directories. On some systems, this is equivalent to "ll" (double L) as in "long list":

In the above, we are going back to the root (beginning) of our space, as tilde (~) signifies root in UNIX.

We can use UNIX commands to some other useful things, like print the contents of a directory. This is useful if you need to document all the files in a web folder:

The above copies all files that end with .php in the current directory, and prints them to a file named files.txt. Here's another useful command:

In this version we're copying all files in a folder to a text file named sitedoc09242009.txt. The file created includes all files, not just .php files. For more info on shell commands, view the following links:

Flat Files (plain text): Files can be given 'write' capability, which allows us to make changes to the file as a means of data storage. The flat file (text file) was the original database for web sites. The database actually refers to the information itself, and the software we commonly call a database (Access, MySQL) is really the DBMS (Database Management System).

Flat files are still used today, and work very well for low use websites or data, especially for error or log tracking of info. Flat files are the means used to store server log files, which track errors and users on a website.

Reading/Writing to a File: To be able to test whether we can read and/write to a file, we have the following example. In this file, we first write to a test file, then attempt to read from it. Once we know we can write to the file, we are sure both the directory and the file are set correctly to be able to store a log file.

Logging Error Messages: One reason for writing to a file would be to write custom error messages. In a production environment, we do not want to expose PHP or MySQL errors to the user. However, we may want to "trap" these errors so we can troubleshoot our pages. We can "suppress" many PHP errors by placing the "@" symbol in front of a line of code in which we expect an error, or warning. However, when we do that, we no longer directly see the error, and may wish to troubleshoot.

A simple way to trap these errors is to write to a specially set up log file to record error messages as they are created. Later we can set up a system to catch errors and email us, if they are critical, but for now we'll depend upon the developer having a file to view on occasion to see what error messages have been trapped, when they happened, and what page created them.

Below is an example page called "logWrite.php" which is intended to write to a log file when the developer anticipates an error in the code. For our example, we will trap a MySQL error message (mimicking what we get with a typo in the MySQL user name or password) and print it to the log file.

.htaccess (hypertext access files): In several web servers (most commonly Apache), .htaccess (hypertext access) is the default name for directory-level configuration files. When a .htaccess file is placed in a particular directory, directives (commands) inside the .htaccess file apply to that directory, and all subdirectories, until another .htaccess file is discovered. The file name starts with a dot because they are by convention hidden on UNIX. .htaccess is not a name of a file; it's a file with a file extension, but no name.

Effects All Sub Folders: When you use a .htaccess file on your web server, the file affects the current directory and any of it's sub-directories. Each sub-diretory is searched, until another .htaccess file is found. If you place an .htaccess file in the root directory of your website, it could affect every directory on your site. Be sure to identify the proper placement of your .htaccess files.

What Can an .htaccess File Do?: .htaccess files are often used to specify the security restrictions for the particular directory, hence the name "access." In this way the .htaccess file allows us to create password protected web folders. With these folders we can design with privacy and allow our clients to see our web applications and designs before they are made public. If we are developing on a new host, we can thus “lock down” the entire site in this way by placing such a safeguard at the web root.

The .htaccess file is often accompanied by an .htpasswd file which stores valid usernames and their passwords. .htaccess can also create customized error messages, rewrite URLs or web caching.

Another very important task that can be accomplished via .htaccess files is called url redirection. When a web page or an entire site moves it’s location (changes it’s web address) this can negatively effect a site’s rating as regards search engines. We can notify search engines of an official site move via url redirection.

Likewise if other sites link to our client’s pages, we need to officially notify the other sites as well. We can do this with careful use of 301 Redirects via an .htaccess file.