How do I set permissions for a web server directory?

Server Config
1

Hello,
I have three websites that exist in the following directory:

$ ls /var/www/html/
branch-view  portal  portal-view

The portal directory is the Laravel project and the other two are React. In Laravel project, the user has to upload the file and its directory is /var/www/html/portal/storage.

I did:

# /sbin/usermod -aG www-data devops
# chmod -R g+w /var/www/html
# chmod g+w /var/www/html/*
# chmod -R 777 /var/www/html/portal/storage
# newgrp www-data

On the internet I found the following advice:

Assign the Nginx user as the owner of your website files:

# chown -R www-data:www-data /var/www/html

Directories: 755 (read/execute for others):

# find /var/www/html -type d -exec chmod 755 {} \;

Files: 644 (read-only for others)

# find /var/www/html -type f -exec chmod 644 {} \;

How do I apply the correct permission?

Thank you.

2

That’s giving full permissions to that folder to all users.

  • The actual number is a throwback to unix and represents a calculated value which tells the machine what permissions to grant
    • 4 for read
    • 2 for write
    • 1 for execute
  • there are three numbers because it can be divided into multiple categories
    • The first number is for the user who creates it
    • The second number is for the group the user belongs to
    • The third number is for others

This means that:

  • a 777 means all groups can read/write/execute anything in that folder
  • a 755 means the user can read/write/execute in the folder, the group and others can read/execute (a typical permissions set for a folder which executes server side.

If the script needs to be able to read/write, you can use sixes (766 or 666) which allows just read and writing to the folder but no execution of any code within the folder.

2 Likes
3

Also, by giving the directory to the web server user, that “should” be enough. You don’t need to set it to full permissions.

1 Like
4

Hello,
Thank you so much for your reply.
Nginx uses www-data. Can you correct my commands? Which part of the following commands needs to be corrected?

# /sbin/usermod -aG www-data devops
# chmod -R g+w /var/www/html
# chmod g+w /var/www/html/*
# chmod -R 777 /var/www/html/portal/storage
# newgrp www-data
5

I told you up above… :winky:

Set that fourth line to something other than 777.

1 Like
6

Hello,
Thank you so much.

7

I use this image, to remember how to create the permissions

400Ă—273 11.4 KB

Let say, I want user to read, write; Group nothing at all, and everyone only read then:

4 + 2 = 6

Nothing: 0

Only read 4.

Then 604

3 Likes
8

Hello,
What happens if the permissions of the files and directories are root or devops ? For example:

$ ls -l
total 12
drwxrwxr-x 16 root root 4096 Jun  1 22:58 branch-view

Can’t users view the website through a browser?

9

Why is this file root user/group?. You don’t want that. You can give your webserver root user access but then you are giving hackers the key to the kingdom.
In very rare occasion you’ll need to have root access to do certain things, even in those cases you don’t login as root, you use sudo

So yes, if you webserver has user/group let say webuser the app will not be able to do anything with branch-view.

1 Like
10

Hello,
Thank you so much.