Mathieu Bouchard

Web Server Permissions

I've decided to finally document my web server permission setup tips in a central place, and what better place than my blog! This technique diverges slightly from best practice in that I don't create a separate group (such as www-pub). I simply use the existing apache group. So for reference, here are my notes.

File permissions on web servers

This file permission scenario assumes that you have a user such as apache or www-data that Apache runs under. Usually there's a corresponding group named the same (apache or www-data). You would also have a separate user account that can connect and upload files manually. This user should be joined to the apache or www-data account, and the permission scenario detailed below should be used.

For the sake of example, let's say Apache runs as apache and is in the group apache. And let's say that the user account used for uploads etc is myuser.

To verify which groups myuser currently belongs to, type:

groups myuser

If apache is not listed, then let's add myuser to the apache group:

sudo usermod -a -G apache myuser

Now that myuser belongs to the apache group, we need to take care of our permission scheme so that group access is setup correctly. This will allow us to keep things clean in terms of file ownership, and have everyone capable of creating/deleting/executing what they need.

The following will set read/write/execute on files and folders and also newly created files/folders within this folder. Specifically, we're after mimicking a chmod 664 for files (rw rw r), and chmod 775 for dirs (rwxrwxr x). In the setfacl command below, we do this in one pass by using the capital X, which only sets the execution bit (x) for dirs:

sudo setfacl -R -d -m u::rwX,g::rwX,o::rX /var/www/html

Note that setfacl requires acl to be installed and configured.

If you need to fix things up and normalize files/folders, do the following:

sudo find /var/www/html -type f -exec chmod 664 {} +;
sudo find /var/www/html -type d -exec chmod 775 {} +;

Finally, you'll probably want the umask for Apache to be set to a value that allows group write. Edit the correct file and add umask 0012 at the end:

  • CentOS: /etc/sysconfig/httpd
  • Debian: /etc/apache2/envvars