File and Directory Ownership and Permissions for Web Content

A frequent question regarding file/directory permissions for web content is what they should be for a "secure" system. In fact the same rules apply, regardless as the tye type of system you are building.

Apache HTTP Server UID/GID

Before we start, we need to be aware that the Apache HTTP server (httpd) runs as a particular user and group.

On Linux as well as most other Unix-like systems, httpd is started as the "root" user; UID=root, GID=root. This is necessary because only this user can bind to port 80 and 443 (anything below 1024 in fact).

After http starts and binds to its ports (defined by the Listen statments in httpd.conf), it changes user to that specified in httpd.conf. Typically:

User   apache
Group  apache

Note that Debian based systems, including Ubuntu, use "www-data" instead.

Using Unix Groups

Most users will want to be able to modify their content without being root. The easiest way to achieve this is through the use of Unix Groups; you create a group to which you add your content editing user, then you add the httpd user to that group.

Note that this doesn't easilly extend to more than one user who needs to edit the files, since at that point you need to set Group write on the files. One would need to use ACL's to achive this.

For example, we have a user "alice" who needs to edit our content, stored in /var/www/html/

First we create the content group, then we add both alice and apache to it.

# groupadd web-content 
# usermod -G web-content alice
# usermod -G web-content apache

Now we need to set the right permissions on our files.

# chown -R alice:web-content /var/www/html
# find /var/www/html -type f -exec chmod 640 {} \;
# find /var/www/html -type d -exec chmod 750 {} \;

What we've done here is to set all files to 640, or rw-r----- and directories to rwxr-x---. Because the group "web-content" is applied to all the files and directories, httpd can read these files, but cannot write to them.

FileSystemPermissions (last edited 2015-04-23 13:18:56 by RichBowen)