Apache folder permissions

You should never have to run a website out of your home directoryEVER. You would otherwise have to give the web server the ability to traverse through /home/ to see the directory structure, but also into /home/$USER/ (your user’s home directory, where we can try and see what else exists in your user directory), as well as any other subfolders in there. A poorly-configured or misconfigured or unpatched web server can cause massive data leakage this way, or loss of credentials and such which would put your personal data and logins on different things at risk. The symlink approach you are using doesn’t help either for the same reason as trying to give Apache permissions to read /home/andre/www/moodle – the web server has to be able to traverse your home directory to get to the location that the symlink in /var/www/html points to, which still poses that security risk.

Firstly, use sudo cp -r /home/andre/www/moodle/ /var/www/html/. This will copy your files to /var/www/html, and keep it away from your own home directory. We’ll then redo the permissions so you and the web server can access everything in that directory, and give your user full read/write to all the files and directories. Then, you will only ever have to work out of /var/www/html for your site.

This is in effect, four steps, after you copy your data back to /var/www/html:

  1. Give Apache access to the folders and files, so it can serve the site without 403 errors.
  2. Give your user ‘owner’ over the files and folders, and give yourself read/write on all of the files and folders, as well as the ability to traverse the directories.
  3. (Optional but recommended) Set it up such that any files or folders created from hereon in the entirety of the directory structure has the group set to be www-data.
  4. (Optional) Final security cleanup, where we set up permissions so you and the web server can see the site data, but other users cannot access files or the directory structure for the site.

(1) Allow Apache access to the folders and the files.

sudo chgrp -R www-data /var/www/html
sudo find /var/www/html -type d -exec chmod g+rx {} +
sudo find /var/www/html -type f -exec chmod g+r {} +

This recursively sets the ‘group’ to be www-data for the folders and files. This then gives the web server permission to recurse and get access to the site document root directories structure (+x for directories only). It then also ensures the web server has read permissions for all files, so site data can be received.

There may be some cases where you have to give the web server write permission to a file, or to a directory – this can be achieved by doing sudo chmod g+w /var/www/html/PATH (where PATH is the path to the file or folder in the directory structure where you need to apply the write permissions for the web server).

NOTICE: There are a lot of cases where this may expose ‘secure’ information about a site configuration (such as database access credentials, etc.), and you should remove ‘other’ access permissions to that data on those individual files or directories with the following: sudo chmod o-rwx /var/www/html/FILEPATH (replacing FILEPATH with the path relative to the /var/www/html folder for the file).

Note also that you may have to re-run these commands in the future if ‘new files’ get 403 issues, in order to give correct permissions to the web server to keep being able to access files and folders that are created or copied in and aren’t getting the www-data group set correctly.


(2) Give your owner read/write privileges to the folders and the files, and permit folder access to traverse the directory structure.

sudo chown -R USER /var/www/html/
sudo find /var/www/html -type d -exec chmod u+rwx {} +
sudo find /var/www/html -type f -exec chmod u+rw {} +

Replace USER in the first command with your own username!

We do three things here. First, we set your user to be the “Owner” of all the files and directories in /var/www/html. Next, we set read and write permissions on the folders, and permit you to access the folders to go into them (the +x item on the directory items). We then set all the files to have read/write permissions for the owner, which we just set.


(3) (Optional) Make sure every new file after this is created with www-data as the ‘access’ user.

sudo find /var/www/html -type d -exec chmod g+s {} +

This sets the “set gid” bit for the group on the directories. Files and folders created inside these directories will always have www-data as the group, permitting the web server access.


(4) (Optional) Final security cleanup, if you don’t want other users to be able to see the data

We need your user to see the directories and files. We need the web-server to do so too. We may not want other system users (except root) to see the data. So lets not give them that access, and make it so only your user and the web server can see the data.

sudo chmod -R o-rwx /var/www/html/

NOTE: You will not have to re-run this at a later time, or edit the permissions for the ‘other’ category of permissions here. If the ‘other’ users can’t get to /var/www/html/ (they don’t have the necessary +x bit on /var/www/html to traverse the filestructure and directory structure, nor the +r bit to read the file lists), then the permissions on items underneath that directory for other users or groups isn’t really going to matter too much.


There is a slightly less invasive solution to this, as well, though it’s not guaranteed to work for all new files, nor is it guaranteed to work on all file systems, involving file access control lists. This lets you leave ownership of the files with www-data for things, but gives you effective owner rights, for all intents and purposes, even though you don’t personally own the files.

This solution is a little less invasive, and lets you have a directory and all files within owned by www-data:www-data or root:www-data but also give yourself access. It uses Access Control Lists, which lets you have multiple users have permissions without setting up individual groups. This also lets the root or www-data system users own files, but also lets you add additional permissions on a case-by-case basis, and fine-tune permissions for certain users so they can read things but not edit, and such.

Assuming we’re still working with /var/www/html/, and we don’t want snooping users other than us and the system (and root of course) to see our data, we’ll need to do the following things:

  1. Give ownership back to the webserver system user www-data.
sudo chown -R www-data:www-data /var/www/html
  1. Recursively give you read/write on the files, while giving other users (excluding www-data and root of course) no access to the files.
sudo find /var/www/html -type f -exec setfacl -m u:YOURUSERNAME:rw -m other::--- {} \;
  1. Recursively give yourself read/write/traverse on the directories, remove access to the folders for other users (excluding www-data and root) and set this as the ‘default’ ACL for new files in the directories.
sudo find /var/www/html -type d -exec setfacl -d -m u:YOURUSERNAME:rwx -m o::--- {} \;
  1. We also need to set the setgid bit for all directories, so that if you create a file the webserver can still access it as www-data via group permissions.
sudo find /var/www/html -type d -exec chmod g+x {} \;

And now you’ve got access to all the directories, and you didn’t have to take access away from www-data which helps as the webserver can still create files everywhere as it needs to (such as PHP based frontends having their own cache directories and such needing to be created and written to for proper operation).

The only caveat: If you manually create new files, you need to chown them accordingly to give ownership to the webserver. That’s a simple sudo chown www-data:www-data filename, and the access control lists should still let you have effective owner rights to the file.

There are multiple cases where I’ve had to do this as a sysadmin for some type of non-standard access without changing the owners of a given file. This works, but has its own headaches, as not every file system supports file access lists.

Advertisements