I have a server with SuPHP and DirectAdmin. Many (but not ALL) of my users are running Joomla and WordPress. Will it make a problem if I chmod public_html and sub-folders to 700? Will they NEED more permissions?
What about files? What should the least, most secure and enough default permissions be for them? Is that 400? Or maybe 600?
In other words my question is focusing about group and world user permissions. Any problems if only user have needed permissions? I think by using SuPHP, everything is being done by the owner and there will not be any problem to restrict group and world user groups.
I prefer to give each object (file, folder) the least permission that is enough to work without any problem.
Best Answer
Here is my experience, this depends on configuration.
PHP files can be set to 600, so that user can read and write them, and suPHP should take care of setting the user to the website owner. You may want to make sure that owner has been set to the user, as old installations could have an owner like www-data. You could set them 400 also, but may have user support issues with no write permissions and it doesn't greatly improve security.
Other files will generally need permissions like 644 because Apache will be reading them as user www-data which will not be the owner or group for those files. This will also apply to .htaccess and phi.ini. As a default for all files, thus, you probably need 644.
Directory permissions, if you have a home dir with a public_hml in it, the ideal is to set that 700 but some configurations seem to need 711 for apache (and maybe some other tools) to work. Hypothetically, 700 should protect you better than 711 - with 711, files such as a configuration which is set to 644 (a default recommended by Joomla and often applied by web servers for new files) can be read by world if someone can guess the file location - which isn't hard (as maybe you've learned as an admin to many joomla and wp sites). Similar for public_html and other directories, those may need as high as 755. But you should experiment with your own configuration, find the lowest permissions where the websites load, then go back and make sure any tools you support or provide to clients (like CPanel file manager) work properly as well. If you can get the home directory or public_html set to 700, you might test a read across accounts on a configuration.php - I found that my CPanel accounts have 711 home directory and that a 644 configuration.php can be read across user accounts. I see a CPanel discussion about problems with symbolic links that can make it easy to hack across accounts, so the permissions become quite important - one site gets hacked, the whole server is at greater risk than it should be. Someone suggested that setting home dir to 700 will prevent reads anywhere below that directory, but ability to do that seems configuration dependent. But 700 on the home directory might be as close to the holy grail as you can provide, if it works (and that seems configuration dependent).
I'm not really an expert and certainly don't know the range of configurations you might find - but I'm answering because I see this is a 6 week old question that needs a good set of answers. Hopefully you'll get someone with broader server configuration expertise to improve this answer.