Setting up an Apache web server: Permissions

Many people who are configuring a web server for the first time are struggling with the proper file and group permissions. Either the scripts don’t execute properly, or they can’t upload or modify files without getting a Permission Denied error message. The only way to make it work is by setting the CHMOD permissions to 777 (world read, write and execute), which is very dangerous. Any individual could upload a (PHP) script to the server, and cause serious damage (erase the files or even disrupt the OS if the security is very weak). I’m going to teach you how to set up the permissions properly to make the server both functional and safe.

Linux and all other operating systems have at least three permission levels: user, group and world. I’ll illustrate it like this:

By default, each new user in Linux is a member of a new group with their same name.

As you can see, we have the user John and Alex which are put into a new group with their own name. If a file is owned by John and it only has group permissions (chmod 740, 750 or 770), it can still only be accessed by John, because there are no other users in that group. If Alex needs access, you’ll have to give everyone access because Alex resides inside his own group. If you only want to provide access to this file to John and Alex, you have to add Alex to the same group where John resides (either the primary or secondary group). If the group has access permissions, it can then be accessed by both John and Alex.

If you install a web server like Apache, it creates a user and group which are set into the applications’ settings. By default this is the user and group ‘www-data’.

To serve the files of the website to your visitors, both the Apache user and group need access permissions. The problem here is that John (who owns the files and needs to upload/modify them) does not have proper permissions. A quick fix would be to give everyone permission to read and write the files (VERY DANGEROUS!) like this:

Everybody can now store (unsafe) scripts on your server and execute them. This is not the approach you should be taking, no exceptions.

Instead there are two approaches.
1. Add John to the Apache group www-data, and give www-data full permissions.
2. Create a new group (for example ‘web’), configure Apache to use this group, make John a member of this group and then give that group full permissions.

With any of these two approaches you can make sure that scripts work as they should, and the file owners can add and modify their files properly. Any upload locations should have write permissions for the group, any other locations (especially configuration files) should just have read permissions. If the files are owned by John, the CHMOD permission should be 660 and 640 respectively.

Storing passwords
If you have any files which contain passwords (database passwords, login passwords), it’s best to store them in a different folder. I’ll use the folder ‘secure’ to store them. Now configure Apache (/etc/apache2/httpd.conf) to prevent access to this file for everybody, except the scripts that run on the system itself. You can do this by adding a Directory entry:

<Directory /path/to/secure/folder>
order Allow,Deny
Deny from All
</Directory>

Now save the configuration file and restart Apache. Try accessing a file in that folder using your web browser, it should say Access Denied.

Leave a Reply

Your email address will not be published. Required fields are marked *