Like it!

Join us on Facebook!

Like it!

The right folder permissions for a website on a Linux server

Say you have a website running on Linux. What are the correct permissions for the folder that contains the HTML, CSS, images, JavaScript files and so on?

This is something that has been bugging me since my day one of web development. In this article I want to sort it out for good.

Prerequisites

The website is stored in a Linux server like Ubuntu, and it is run by a web server like Apache or Nginx. You are the project owner and the sole user responsible for maintaining it.

The site is made of static content like CSS, images, HTML pages as well as some dynamic content generated by the web server on the fly — for example, a PHP script that manages file upload. So the web server needs to read the static content in order to display it to the public, as well as write data into the site folder as instructed by the script files.

Finally, let's pretend your user is called john, the website folder is located in /var/www/my-website.com/ and the web server belongs to the www-data user group.

Set the folder permissions

Your user will be the owner of the website directory and will have full read, write and execute permissions. The web server will be the group owner and initially will have read and execute permissions, except for some folders where it will have write access. No one else will be allowed to mess around with the whole website directory.

To get started, login into your server and run the four commands below.

1: set your user as the owner

chown -R john /var/www/my-website.com/

This command sets john as the owner of every file and folder inside the directory (-R stands for recursive).

2: set the web server as the group owner

chgrp -R www-data /var/www/my-website.com/

This command sets www-data as the group owner of every file and folder inside the directory. Recursive mode, as above.

3: 750 permissions for everything

chmod -R 750 /var/www/my-website.com/

The third command sets the permissions: read, write and execute (7) for the owner (i.e. you), read and execute (5) for the group owner (i.e. the web server), zero permissions at all (0) for others. Once again this is done on every file and folder in the directory, recursively.

4: new files and folders inherit group ownership from the parent folder

chmod g+s /var/www/my-website.com/

The last command makes all files/folders created within the directory to automatically take on the group ownership of the parent folder, that is your web server. The s flags is a special mode that represents the setuid/setgid. In simple words, new files and directories created by the web server will have the same group ownership of my-website.com/ folder, which we set to www-data with the second command.

When the web server needs to write

If you have folders that need to be writable by the web server, you can just modify the permission values for the group owner so that www-data has write access. Run this command on each writable folder:

chmod g+w /var/www/my-website.com/<writable-folder>

For security reasons apply this only where necessary and not on the whole website directory.

Sources

Server Fault - What permissions should my website files/folders have on a Linux web server?
Unix & Linux - 'chmod g+s' command
Wikipedia - chmod

comments
Pedro on November 24, 2019 at 14:54
This is exactly what I needed. Thank you <3
Mo on December 20, 2019 at 22:14
Perfect straight to the point, nice work :)
Rabeya on February 25, 2020 at 03:07
you saved my day.. :)
Jake on April 21, 2020 at 06:54
Thanks a million, very succinct and helpful!
Jochen on May 05, 2020 at 19:14
And if you have SELinux enabled and need to write into some folders, then those need to get a special context:
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/my-website.com/(/.*)?"
Note the "rw"part. the lat parameter is a regexp, so you'll need to handle the dots in the path.
After semanage, you always also need to do:
sudo restorecon -R /var/www/my-website.com/
Ajay on May 08, 2020 at 08:17
Hi, Thanks !
Thanks for a cool answer to a very important yet most confusing aspect of the server / application setup. I also have a question. What if the users of the app need to need to upload their pics as part of signup? Would it be safe to add them to the writable folder at /var/www/my-website.com/ ? Would it not be safer to save them into a folder above the docroot, say at /var/www// ? This is believed to be most secure from what I have read but i do see security implications since the server can traverse above the document root and that could be dangerous with write access to the writable folder? I would be grateful for a clarification. Thank you.
Triangles on May 15, 2020 at 09:37
@Ajay that's a good question. I suppose that with the right privileges and folder permissions, uploading to /var/www/my-website/uploads should be safe. Don't take my words for granted, though. I'll update this post as soon as I gather additional information. Thanks :)
Thanks a lot on May 26, 2020 at 19:55
Superb
Karthik on May 27, 2020 at 08:14
Thanks a lot, superb.
Kuliphex on August 10, 2020 at 01:45
Good article; however, since your goal here was clarity, it would be a good idea to clarify that the commands shown may need to be issued using via "sudo" prefix (or gods forbid, as #root). Not all readers can figure this out from context.
Rajesh on September 20, 2020 at 15:06
Simply explained. Great
hoang on September 22, 2020 at 08:22
Thanks
Chinmay on November 07, 2020 at 06:21
How to adjust this with php-fpm in picture?
Triangles on November 07, 2020 at 10:16
@Chinmay honestly I'm not familiar with php-fpm, any additional input is welcome :)
Jorge Gonzalez on February 05, 2021 at 20:09
Thanks.
Ulca on March 31, 2021 at 20:00
Good article!
Sundaralakshmi A on May 06, 2021 at 15:38
Exactly What I want. Thank you So much !
LM on August 26, 2021 at 12:07
Thank you so much! It is people like you that make the web a much better place. Very helpful. Thanks again. :-)
Pat on September 13, 2021 at 11:19
Thank you. Straight to the point and it works.
Selemani on September 18, 2021 at 11:01
Nice article. Works like a charm
Mario on October 14, 2021 at 20:24
Thanks! Today I can fix my loclahost following your article!
Kevin on January 26, 2022 at 13:45
Thanking you - I'm referencing this bi-weekly for production servers!
Mica on January 28, 2022 at 14:36
Best article! No fluff, straight to the point. Thank you!!
vik on March 19, 2022 at 03:10
that's what I was looking for. Thanks
Jurgen on May 18, 2022 at 10:34
Brilliant, thanks!
Mike on May 19, 2022 at 16:46
I know I am a bit late to the party here, but great article. Very simple and straightforward. As to @Chinmay's question about php-fpm, I believe that is "proxied" though the web server, so there shouldn't be any additional configuration needed.
caterpillar on September 03, 2022 at 09:00
Awesome. Exactly what I was searching for more than a day! Thank you so much for the article.
Leroy on October 06, 2022 at 13:00
Excellent, thank you for such clarity!
Joe on December 12, 2022 at 17:52
I love you.
TMK on April 12, 2023 at 14:00
First advice on this hassle that works.
Les Johnson on May 02, 2023 at 23:29
Thank you. Nice and to the point. :)
Egidio on September 09, 2023 at 23:27
chmod -R 750 /var/www/my-website.com/

You are making all files in the directory executable, and you don't want to do that. Executable bit on directories, means you can traverse the directory, but on files it means you can execute them as a program. You want to set directories to 750 and files to 640 instead, you can set them with find:

# Set all directories to 750
find /var/www/my-website.com/ -type d -exec chmod 750
# Set all files to 640
find /var/www/my-website.com/ -type f -exec chmod 640
Goldin Bennet on February 07, 2024 at 05:26
Thank you.