@abderbij
Generally, when setting up directory structure, everything other than the public directory should be owned by root
– the rest by the user and group that needs read/write access.
For example, if you’re using /var/www/html
, then both /var
and /var/www
should be owned by root
and /var/www/html
should be owned by www-data
(in your case).
Normally I shy away from using /var
and stick with /home
and create individual directories for each user and site.
For example:
/home/sammy/htdocs/public
In the above, /home
should already be owned by root
(by default) and /home/sammy
should as well. Beyond that, /home/sammy/htdocs
and down is owned by sammy
– all files and directories.
All files are chmod
644 and all directories are at max chmod
755 with some limited to 750.
You can, of course, further lock down permissions, though you have to be careful.
This is one reason why I use NGINX and PHP-FPM over Apache and mod_php
. Instead of Apache and a single user (in most default configurations), NGINX runs as one user (normally nginx
) and separate pool files are setup for each PHP-FPM instance, thus preventing a single user from needing to own all files and directories.
All users are basic users with only the permissions they need (which is normally SFTP access at most) and nothing more. They can’t login to shell (via SSH) – only SFTP. The root
user owns the base directories and the user:group that PHP-FPM is running as owns the rest (the public-facing directories).