How to setup permissions for a webserver on Linux

It is important to use the right permissions in your web-directories on servers, otherwise you can have serious security flaws, such as allowing the wrong users to make changes to your website.

To choose the correct permissions for your site, we need to look at which requirements you have:

• Developers need to be able to read and write so they can make changes to files
• Developers also need read, write and execute on all directories so they can browse them
• The web server needs read on files and scripts
• The web server needs read and execute on directories
• The web server needs read, write and execute to upload directories

You will need to create a group for the developers. If your server hosts multiple websites, it’s good to give each site it’s own group. That way developers can’t add changes to sites they aren’t allowed to work on, and if an account gets hijacked, the damage will be contained to the site that user has access to.

To create a group, run the following command:

groupadd dev-example

Add the developers to the group:

usermod -a -G dev-example BobTheDeveloper
usermod -a -G dev-example AnotherDeveloper

Now it’s time to set ownership and permissions on the web directory. Set your root as the owner of the web directories:

chown -R root exampleSite

Add the developer group as the owner group to the web directories:

chgrp -R dev-example exampleSite

Now set the permissions:

chmod -R 775 exampleSite

Setting the permissions to 775 ensures that the owner and group has read, write, and execute, while all other users have read and execute. If there are any specific subfolders that the webserver needs to write to, set the user to the owner of that specific folder:

chown -R www-data uploads

Now developers can make changes to the site, and the web server can only write where it needs to. This ensures that malicious hackers can’t overwrite the whole site if they manage to upload and run code on the server.