What permissions should my website files/folders have on a Linux webserver?

On a Linux web server, setting the correct permissions for website files and folders is crucial for security and functionality. Here are general recommendations for permissions on website files and folders:

Folder Permissions:

• Root Folder (/var/www/html or similar):
  • The root folder of your website should have permissions set to 755 (drwxr-xr-x).
  • The owner should typically be the web server user (e.g., www-data for Apache).
• Subfolders and Files:
  • Folders inside the root should generally have permissions set to 755 (drwxr-xr-x).
  • Files within the folders should have permissions set to 644 (rw-r--r--).

Special Folders:

• Upload Folders:
  • Folders where users can upload files should have stricter permissions, typically 755 for folders and 644 for files.
  • Ensure the uploaded files cannot be executed (e.g., PHP files) if it's not intended.
• Config Files:
  • Configuration files that contain sensitive information (database passwords, API keys, etc.) should have limited access.
  • Set permissions to 600 (rw-------) or 640 (rw-r-----), limiting access to the owner and specific groups that need access.

Ownership:

• Ownership should typically be set to:
  • User: The user that the web server runs as (e.g., www-data for Apache).
  • Group: The group that the web server belongs to (also often www-data for Apache).

Additional Tips:

• Avoid setting global write permissions if not necessary:
  • Giving write permissions to everyone (777) can pose security risks.
  • Limit write access to specific folders where necessary.
• Use chown and chmod commands:
  • Use these commands in the terminal to change ownership and permissions of files and directories.
  • For example:
    • sudo chown -R www-data:www-data /var/www/html
    • sudo chmod -R 755 /var/www/html
• Consider SELinux or AppArmor:
  • Security-Enhanced Linux (SELinux) or AppArmor can add an extra layer of security by defining policies that control access based on the defined security contexts.

It's important to find the right balance between security and functionality when setting file and folder permissions. Regularly review and update permissions to ensure your website remains secure. Be cautious with granting excessive permissions, especially to files that handle sensitive data or execute server-side code.

Got an article suggestion? Let us know

Explore more

Apache

How to generate a private key for the existing .crt file on Apache?

Unfortunately, this is not possible. You cannot generate a private key out of an existing certificate. If it would be possible, you would be able to impersonate virtually any HTTPS webserver.

Questions

How can I disable TLS 1.0 and 1.1 in apache?

Questions

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.