Are these webroot permissions correct ?

June 1, 2016 1.1k views
Linux Commands Linux Basics WordPress LEMP

I'm relatively new to permissions, so I might be doing this wrong, which is why I am checking with you (the reader). I have been wondering how I would have to set my webroot permissions for 'regular website hosting' on my VPS. I understand there are tens of ways of doing it, depending on the security one needs, but after reading some tutorials I came to the following situation :

1.) sudo chown -R <myself>:www-data /var/www
2.) sudo chmod -R 755 /var/www
3.) sudo chmod g+s /var/www

1.) I'm setting <myself> and the www-data group as owners of the webroot.
2.) I'm changing the permissions recursively on the webroot so that <myself> has all permissions, NGINX has read & execute and the world also has read & execute.
3.) New files that are added (through SFTP or the shell) will inherit the same configuration of permissions / ownership.

In case of dynamic pages generated by wordpress I will leave it this way but set different permissions for folder where NGINX needs to write, such as 'upload' folders, and / or 'plugin' folders. etc.

1.) sudo chmod 775 /var/www/... <upload>
2.) sudo chmod 775 /var/www/... <plugin folder>

The question however is : I am doing all this in the right way ? Or am I going about it all wrong ?

Thanks in advance

2 Answers

I will recommend changing user for /var/www directory to www-data (or the user you are using for nginix). This way nginx has full permissions to files in /var/www.

You can add yourself to the www-data group. And set /var/www permission to 775 or 765. By doing this users in the www-data group will be able to execute (if you use 775) or read/write (if you use 765).

  • Thanks for your reply MDS.

    When I use SFTP (via <myuser>) and upload files, I will be able to do so when the permissions are set to 775 for /var/www ... These permissions are fine I want to just upload, but they don't seem secure enough to leave them like that the whole time....

    This would mean that after uploading files, I would have to go to the shell and change the permissions every time again to make it more secure (765 like you said) ... But this however, is what I am trying to avoid ...

    Any other suggestions ?

    • Permission 765 should work fine. This will allow nginx to execute files. And also users in the www-data group to write and read files in /var/www. Make sure to add your user to the www-data group.

      • Ok, so if I understand this correctly, this means :

        1. Nginx as a user (www-data) will have all permissions , because it owns the folder(s).
        2. <myuser> is in the group www-data and I will control the security level by changing the permissions for this group. When I am working on the site I will have it on 7 (rwx) and when I'm not working, I can put it on 6 or 5 ...

        Is that the idea behind this setup ?

        Also, if I use SFTP to upload files (while logging as <myself>) I believe those newly created files will be owned by <myself> , so then i would be back to my first scenario ...

        • 1) Yes, Nginx will have all permissions since www-data is the owner.

          2) You can leave permissions set to 775, only owner and users in the www-data group will be able to edit files in /var/www.

          • Thanks for your input ... I understand how it works now (i've been struggling with perms for a while) ....

            However, if the user www-data has ALL privileges ALL the time, does that not make a website more prone to outside attack (script injection etc.) ... ?

Have another answer? Share your knowledge.