Recommended user:group and directory permissions for web directory?

August 12, 2019 208 views
Nginx Ubuntu 18.04

What is the recommended user, group and directory permissions for the webroot directory?

Let say I have the below directory structure,

/var/www/

     /website-1/htm/
          index.html


     /website-2/html/
          index.html

Currently, I have

drwxr-xr-x  7 root root   4096 Jun 23 14:52 www

drwxr-xr-x 3 root root 4096 Jun 13 04:47 website-1
drwxr-xr-x 3 root root 4096 Jun 23 14:52 website-2

drwxrwxr-x 3 myuser myuser 4096 Aug  8 07:10 html

As you can see, the html folder is owned by my current user and group. I know this is not correct.
I’ve read that it should be www-data but again others I’ve read also are using root and even user accounts.

What would be the “best” recommended user:group and permission?

2 Answers

Hello, I don’t know if I understood your question well but I had problems with the permissions on my site and the answer to this question helped me a lot, I also wait for you

[https://stackoverflow.com/questions/3740152/how-do-i-change-permissions-for-a-folder-and-all-of-its-subfolders-and-files-in](http://)

  • I’m looking for the most secure permissions and what user/group should I give to the root folder of my website, which is the html folder.

    I’m asking coz’ I’ve seen a lot of old articles that suggest root as the user and group. Others suggest www-data and others suggest a normal user with specific permissions.

    As well as arguments, with 775 vs 755 permissions.

    To be honest, I’m confused on what to follow hence I asked.

    • Hi bontokiz,

      I’m not sure where you checked permissions 775 are a good idea however they are too permissive. I wouldn’t recommend using them.

      The standard is actually 755 for folders. Some setups actually use 750 but that’s a different story if you actually host multiple clients on the same server.

      If you are hosting your own website, then using 755 should be fine.

      Kind regards,
      Kalin D.

      • Hi Kdimitrov,

        It wasn’t really mentioned as a “good idea” recommendation but it’s what mostly solved other issues.

        I will stick with 755 then.

        What about the user and group? www-data:www-data?

        • Hi bontokiz,

          I see, it would explain why it was suggested as an answer, as it’s more permissive but yes, sticking with 755 is the better option.

          Regarding the user and group, you’ll need to check in which groups does the www-data user belong to

          groups www-data
          

          Once you know which groups it belongs to, you can set the ownership to them, so let’s say it belongs to the groups www-data and root, you can either set it as

          www-data:root or www-data:www-data whichever you like in this case.

          Kind regards,
          Kalin D.

          • Hi,

            Thank you.
            Last question, should I change all the files and directories inside the html folder to 644 as again suggested in most other forums?

            Or should I just run chmod -R 755 html to change the root folder and everything inside it?

          • Hi there,

            folders and files usually have different permissions.

            For folders as we discussed, the standard is 755 and for file it’s 644. Having said that, you can run something like

            find . -type d -exec chmod 755 {} \; && find . -type f -exec chmod 644 {} \;
            

            Please note this will find all files and folders and change their permissions respectively to 644 and 755 in your current directory recursively. This would mean you need to be sure you are in the correct directory before running the above command.

            Another thing you can do is to specify the directory in the command itself

            find /path/to/directory -type d -exec chmod 755 {} \; && find /path/to/directory -type f -exec chmod 644 {} \;
            

            I personally prefer the second method but it’s up to you.

            Kind regards,
            Kalin D.

Hi @Kdimitrov

Once again, thanks for the help.

With 755, the group has no Write permissions. This is a problem for my setup because I have another user that uploads/edits the site.

Do you think it’s okay if I will change the /var/www/website/html directory permission to 775 to allow groups from uploading?
And all files and directories inside html will be 644 and 755 respectively.

Also, what’s your take on setting the permissions and user:group of newly created or uploaded files automatically? Ways I’ve read so far are umask and setgid.

  • Hi bontokiz,

    I’m happy to help!

    If your setup it’s like that, then yes you can set the permissions of the folder to 775. Having said that, I wouldn’t suggest deploying this kind of setup on a droplet intended for hosting multiple separate websites.

    What I would do is create the users with sudo access so they can actually switch as the proper user.

    Regarding newly creating files to automatically be created with 644 permissions and files with 755, umask is the way to go.

    Kind regards,
    Kalin D.

Have another answer? Share your knowledge.