Files permissions for apache workdir

Written on Tuesday March 16, 2021 - Permalink - Tags: chmod, linux, server, apache, security


Workdir, directory which contains web page files exposed by HTTP Server in this case apache2 should have suitable permissions.

Those permissions are not required for correct working of web content but are recommended for production environment due to various types of vulnerabilities and the structure of web pages.


Linux system have build-in tools which we can use for granting permissions:

chown - change file owner and group
chmod - change file mode bits
chgrp - change group ownership     

required parameters, options and operators:

-R, --recursive
       operate on files and directories recursively
g - other users in the file's group
o - other users not in the file's group
+ - operator causes the selected file mode bits to be added to the existing file mode bits of each file
- - operator causes the selected file mode bits to be removed from the existing file mode bits of each file
r - read
w - write
x - execute (or search for directories)

Default user, group and location for web pages files:

user: www-data
group: www-data
location: /var/www

Setting permissions

Recommended permissions for default user, group and location:

sudo chown -R www-data:www-data /var/www
sudo chmod go-rwx /var/www
sudo chmod go+x /var/www
sudo chgrp -R www-data /var/www
sudo chmod -R go-rwx /var/www
sudo chmod -R g+rx /var/www
sudo chmod -R g+rwx /var/www

Alternative version of (more restricted) permissions

sudo chown -R www-data:www-data /var/www
sudo find /var/www -type d -exec chmod 2750 {} \+
sudo find /var/www -type f -exec chmod 640 {} \+

Additional permissions

For remote access (SSH/FTP/SFTP) and applications purpose (fronted operations eg. making new subdirs) files with public access should be granted recursively with open 777 (read/write/execute for everyone) permissions:

sudo chmod -R 777 /var/www/html/public