Permissions on folder for Apache 2

[kzn]

Hi

I have configured a lamp server as follows and I am not sure how the permissions should be set for the folder holding the site:
I have created a folder under root called sites
The sites folder is made up as follows:
sites/mysite1/public - this contains php files/folders
sites/mysite1/logs - this contains the log files

The permissions for the folders are as follows:
drwxr-xr-x apache apache

Is what I have done correct? Some forums mention 755 access and 644 for the php files. I obviously want to make this as secure as possible. Please let me know your thoughts.

Many thanks

 

[lgarner]

Assuming that your web server is running as "apache", and that all of the files and directories are owned by "apache", you should be able to get away with 500 on directories and 400 on files, except for logs which have to be writable.

Just remember that the web server has to be able to read the files & directories, and maybe write if you're handling uploads.

 

[kzn]

Hi Kjarner, thanks for the reply, yes the server is running with the user apache and the files and directories are owned by apache. So you are saying
dr-x------ apache:apache for directories
r-------- apache:apache for files

Is read only used for html files and execute for php files?

I do plan to have an upload folder but I think the safest thing is to put it outside of the web directory?

 

[kzn]

Should I have root as the owner?

 

[RhythmAce]

If you created the directories as root, then root is the owner and you will not be able to do much more than read the files. In most cases you would have scripts that need to write to files and that is where you would run into problems. If you plan on uploading to these sites via ftp, then you would really have a problem. What I would do is set directories to 755 and files to 644 this is the most common. Then I would chown the directories you have already created to a regular user.

Example: chown -R kzn:kzn /sites

In the example above, kzn would be both owner and group for /sites and all directories below it. If you want this user to just own one site then you would chown /site1 instead. If you plan to host sites for other users, and you are not using "UserDir" then you can have their home directory specified and created when you create the user.

 

[lgarner]

I gave 500 & 400 as examples of what's possible, not necessarily what's easiest. There's no need for execute permission on files, for instance, and no user but your web server user (e.g. "apache", "

http://www",

etc.) needs to be able to read them for your site to work.

Clearly if you set your permissions so strict that only the owner can read the files & directories, then changing the owner to "root" would prevent "apache" from reading anything. Hence the more common permissions that allow anyone to read but only the owner to write. This also allows the web server to handle uploads, which won't work if the permissions are read-only.

If you put your uploads outside of the web root, then remember that they won't be available for download without some application to read & deliver them. You can't just create a link to something that's not under the web root.

I use 755 for directories and 644 for files, with apache as the owner of both.