I haven't been able to completely wrap my brain around file permissions and owner rights.

I have several websites installed in my user home directory using the structure
~/public_html/website/public/...

Wordpress recommends setting the wp-config.php and .htaccess to 0640

But if I try to set either file to 0640 then no one can view my site.

So I have to use 0644

But from what I read, it sounds like I'm leaving myself very vulnerable by doing so.

Could anyone help me understand this?

Thanks

0644 is fine it translates to
owner can write, group can read, others can read.

Since your files are not owned by your web server or in your web server's group you need to have them readable by others.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Thanks obs, I appreciate the reply

So am I assuming correctly then that having a critical file with my database passwords in it and such - set world readable - is ok because I am the only one with access to my VPS?

That a 0644 is really a setting that has to do with a more open environment like shared hosting or multiple users?

Just want to make sure I understand why it is ok in my case.

Also, is it possible to add the web server group to my group so that I could make it 640?

(edit: or perhaps it is either root or user in my case... possibly adding root to my user group?)

Sorry for the noob questions -- I just want to be able to understand the why.

Thanks!

It's not you that needs read permissions it's your web server, so web server would have to be in the group for the file or use chgrp to change the file group to the web server's group.

It's normal for all files to be readable by "others" on vps since normally you have users uploading files so files will be created 0644 with the user and group of the uploader, while the server runs as www-data or nobody (or some other user).

In a shared environment if it's configured poorly then in theory a 0644 file can be read via ssh/ftp/a system call from a script i.e. someone could do <?php echo file_get_contents("/path/to/your/wordpress/settings.php"); ?> and pull up your database settings, and then access your database from their account. VPS don't have that problem (assuming everyone that has access to your vps is allowed to view the settings.php file).

There are other ways to deal with this for example if running PHP as FCGI then you can set php to run as the user of the files uploaded that way the permissions can be as restrictive as 0600.

If you're the only one on your server just leave it as 0644 you'll be fine.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I always change permissions to those kind of files. If they are in my public_html:

chown www-data:mynormaluser config.php
chmod 0660 config.php

If they are in /var/www, I set group to "root" in the above chown command.