Like it!

Join us on Facebook!

Like it!

The right folder permissions for a website on a Linux server

Say you have a website running on Linux. What are the correct permissions for the folder that contains the HTML, CSS, images, JavaScript files and so on?

This is something that has been bugging me since my day one of web development. In this article I want to sort it out for good.

Prerequisites

The website is stored in a Linux server like Ubuntu, and it is run by a web server like Apache or Nginx. You are the project owner and the sole user responsible for maintaining it.

The site is made of static content like CSS, images, HTML pages as well as some dynamic content generated by the web server on the fly — for example, a PHP script that manages file upload. So the web server needs to read the static content in order to display it to the public, as well as write data into the site folder as instructed by the script files.

Finally, let's pretend your user is called john, the website folder is located in /var/www/my-website.com/ and the web server belongs to the www-data user group.

Set the folder permissions

Your user will be the owner of the website directory and will have full read, write and execute permissions. The web server will be the group owner and initially will have read and execute permissions, except for some folders where it will have write access. No one else will be allowed to mess around with the whole website directory.

To get started, login into your server and run the four commands below.

1: set your user as the owner

chown -R john /var/www/my-website.com/

This command sets john as the owner of every file and folder inside the directory (-R stands for recursive).

2: set the web server as the group owner

chgrp -R www-data /var/www/my-website.com/

This command sets www-data as the group owner of every file and folder inside the directory. Recursive mode, as above.

3: 750 permissions for everything

chmod -R 750 /var/www/my-website.com/

The third command sets the permissions: read, write and execute (7) for the owner (i.e. you), read and execute (5) for the group owner (i.e. the web server), zero permissions at all (0) for others. Once again this is done on every file and folder in the directory, recursively.

4: new files and folders inherit group ownership from the parent folder

chmod g+s /var/www/my-website.com/

The last command makes all files/folders created within the directory to automatically take on the group ownership of the parent folder, that is your web server. The s flags is a special mode that represents the setuid/setgid. In simple words, new files and directories created by the web server will have the same group ownership of my-website.com/ folder, which we set to www-data with the second command.

When the web server needs to write

If you have folders that need to be writable by the web server, you can just modify the permission values for the group owner so that www-data has write access. Run this command on each writable folder:

chmod g+w /var/www/my-website.com/<writable-folder>

For security reasons apply this only where necessary and not on the whole website directory.

Sources

Server Fault - What permissions should my website files/folders have on a Linux web server?
Unix & Linux - 'chmod g+s' command
Wikipedia - chmod

comments
Pedro on November 24, 2019 at 14:54
This is exactly what I needed. Thank you <3
Mo on December 20, 2019 at 22:14
Perfect straight to the point, nice work :)
Rabeya on February 25, 2020 at 03:07
you saved my day.. :)
Jake on April 21, 2020 at 06:54
Thanks a million, very succinct and helpful!
Jochen on May 05, 2020 at 19:14
And if you have SELinux enabled and need to write into some folders, then those need to get a special context:
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/my-website.com/(/.*)?"
Note the "rw"part. the lat parameter is a regexp, so you'll need to handle the dots in the path.
After semanage, you always also need to do:
sudo restorecon -R /var/www/my-website.com/
Ajay on May 08, 2020 at 08:17
Hi, Thanks !
Thanks for a cool answer to a very important yet most confusing aspect of the server / application setup. I also have a question. What if the users of the app need to need to upload their pics as part of signup? Would it be safe to add them to the writable folder at /var/www/my-website.com/ ? Would it not be safer to save them into a folder above the docroot, say at /var/www// ? This is believed to be most secure from what I have read but i do see security implications since the server can traverse above the document root and that could be dangerous with write access to the writable folder? I would be grateful for a clarification. Thank you.
Triangles on May 15, 2020 at 09:37
@Ajay that's a good question. I suppose that with the right privileges and folder permissions, uploading to /var/www/my-website/uploads should be safe. Don't take my words for granted, though. I'll update this post as soon as I gather additional information. Thanks :)
Thanks a lot on May 26, 2020 at 19:55
Superb
Karthik on May 27, 2020 at 08:14
Thanks a lot, superb.
Kuliphex on August 10, 2020 at 01:45
Good article; however, since your goal here was clarity, it would be a good idea to clarify that the commands shown may need to be issued using via "sudo" prefix (or gods forbid, as #root). Not all readers can figure this out from context.
Rajesh on September 20, 2020 at 15:06
Simply explained. Great
hoang on September 22, 2020 at 08:22
Thanks
Chinmay on November 07, 2020 at 06:21
How to adjust this with php-fpm in picture?
Triangles on November 07, 2020 at 10:16
@Chinmay honestly I'm not familiar with php-fpm, any additional input is welcome :)
Jorge Gonzalez on February 05, 2021 at 20:09
Thanks.
Ulca on March 31, 2021 at 20:00
Good article!
Sundaralakshmi A on May 06, 2021 at 15:38
Exactly What I want. Thank you So much !
LM on August 26, 2021 at 12:07
Thank you so much! It is people like you that make the web a much better place. Very helpful. Thanks again. :-)
Pat on September 13, 2021 at 11:19
Thank you. Straight to the point and it works.
Selemani on September 18, 2021 at 11:01
Nice article. Works like a charm
Mario on October 14, 2021 at 20:24
Thanks! Today I can fix my loclahost following your article!