Question
Proper permissions for web server's directory
I have a doubt that I think is very basic but to which strangely I couldn’t find a concrete answer no matter how much I’ve googled for it.
When configuring a web server (Nginx, in my case), most people recommend setting the permissions as follows:
- Create a new user other than root, and add it to the www-data group.
- Set the ownership of /var/www to the www-data user and www-data group.
- Directories 755
- Files 644
This means that:
- The user owner of the directory (www-data) can read, write and execute.
- The assigned group (www-data, where my user is) can read and execute, but not write.
- Everyone else can read and execute, but not write.
The problem with this is that, if the permissions are set in this way, I can’t edit files from the FTP because my user doesn’t have write permissions; this would require allowing the group to write adjusting the permissions like this:
- Directories 775
- Files 664
However, I don’t know if this could be a security issue, or why do people recommend doing it the other way if it doesn’t work through FTP. So, what is the most appropriate way to set permissions for the server directory?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
Does nginx use www-data as the user? I know apache does, but not sure about ngnix.
In answer to your question: The tighter your permissions, the less likely you are to have problems. In other words, you always want to error on the side of caution.
In college, my Networking Instructor said the rule of thumb is: only give users permissions where they need them.
If you are working on a site, you can set things a little more relaxed, and then tighten your permissions when you have finished development.
My experience is that there are some files you will edit, and then tighten permissions to 600 after editing. For example, if you are running WordPress, it is not necessary to grant 664 access to the configuration file (wp-config.php), since only the web-server needs access to that file.
In summary:
@sierracircle: Thanks for your answer. Yes, Nginx works by default with the www-data user (for compatibility reasons with Apache, I think).
I find a bit annoying changing the permissions each time I’m going to access by FTP, but certainly it would be good for security.
I’ve seen that shared hostings usually have this set of permissions:
I don’t know how they do it, but I guess they:
This makes it possible to have the permissions as 755 and 644 while allowing full access by FTP and also with minimal risk.
However, it’s just an idea and I haven’t seen anyone recommending doing it this way.
Does anyone know if they really do like this and if it would be advisable to do so?
@sierracircle @ManuelFte
how do you know what permission does that group/user have?
and can you apply default permission for folders/files? or I have to do it manually?
I have nginx and I didnt know what to do so: