I have a doubt that I think is very basic but to which strangely I couldn’t find a concrete answer no matter how much I’ve googled for it.
When configuring a web server (Nginx, in my case), most people recommend setting the permissions as follows:
- Create a new user other than root, and add it to the www-data group.
- Set the ownership of /var/www to the www-data user and www-data group.
- Directories 755
- Files 644
This means that:
- The user owner of the directory (www-data) can read, write and execute.
- The assigned group (www-data, where my user is) can read and execute, but not write.
- Everyone else can read and execute, but not write.
The problem with this is that, if the permissions are set in this way, I can’t edit files from the FTP because my user doesn’t have write permissions; this would require allowing the group to write adjusting the permissions like this:
- Directories 775
- Files 664
However, I don’t know if this could be a security issue, or why do people recommend doing it the other way if it doesn’t work through FTP. So, what is the most appropriate way to set permissions for the server directory?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
I realize this is an old post, but it is one of the top search results on Google and I don’t feel like it has been adequately answered anywhere (lots of meandering to getting to the point). So I wrote a blog post on the topic:
http://cubicspot.blogspot.com/2017/05/secure-web-server-permissions-that-just.html
To summarize, the best balance between security and usability is to make the web root owned by root, create and assign a specific group to the web root, chmod 775 the web root, chmod g+s on the web root, and assign all users who need to edit files to the newly created group.
addgroup sftp-users
adduser youruser sftp-users
adduser anotheruser sftp-users
chown root /var/www
chgrp sftp-users /var/www
chmod 775 /var/www
chmod g+s /var/www
The g+s sets the “sticky bit” for the group, which correctly propagates the group and the permissions to all files (they’ll be 664) and directories (775) as they are created. The number of directories that need ‘www-data’ as the owner should be kept to a bare minimum.
I’m new in Digital Ocean and I successfully created droplet and set up an apache2 server I uploaded all my website files in var/www/html folder but while accessing my website I am getting " This Page isn’t working error" Droplet IP -139.59.56.242
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.