Question

Proper permissions for web server's directory

Posted on September 15, 2014
Asked by Manuel de la Fuente

I have a doubt that I think is very basic but to which strangely I couldn’t find a concrete answer no matter how much I’ve googled for it.

When configuring a web server (Nginx, in my case), most people recommend setting the permissions as follows:

Create a new user other than root, and add it to the www-data group.
Set the ownership of /var/www to the www-data user and www-data group.
Directories 755
Files 644

This means that:

The user owner of the directory (www-data) can read, write and execute.
The assigned group (www-data, where my user is) can read and execute, but not write.
Everyone else can read and execute, but not write.

The problem with this is that, if the permissions are set in this way, I can’t edit files from the FTP because my user doesn’t have write permissions; this would require allowing the group to write adjusting the permissions like this:

Directories 775
Files 664

However, I don’t know if this could be a security issue, or why do people recommend doing it the other way if it doesn’t work through FTP. So, what is the most appropriate way to set permissions for the server directory?

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

cube • May 10, 2017

Accepted Answer

I realize this is an old post, but it is one of the top search results on Google and I don’t feel like it has been adequately answered anywhere (lots of meandering to getting to the point). So I wrote a blog post on the topic:

http://cubicspot.blogspot.com/2017/05/secure-web-server-permissions-that-just.html

To summarize, the best balance between security and usability is to make the web root owned by root, create and assign a specific group to the web root, chmod 775 the web root, chmod g+s on the web root, and assign all users who need to edit files to the newly created group.

addgroup sftp-users
adduser youruser sftp-users
adduser anotheruser sftp-users

chown root /var/www
chgrp sftp-users /var/www
chmod 775 /var/www
chmod g+s /var/www

The g+s sets the “sticky bit” for the group, which correctly propagates the group and the permissions to all files (they’ll be 664) and directories (775) as they are created. The number of directories that need ‘www-data’ as the owner should be kept to a bare minimum.

Ben Yanke • March 4, 2016

Is there an automated way to set these permissions properly for all folders?

aayushgautam1994 • June 7, 2018

I’m new in Digital Ocean and I successfully created droplet and set up an apache2 server I uploaded all my website files in var/www/html folder but while accessing my website I am getting " This Page isn’t working error" Droplet IP -139.59.56.242