Apache www permissions for php script
It very much depends on your CMS.
I actually really do not like 99% of the CMS available out there. All their PHP files go in the public Apache tree which means clients have access to them. That's not safe. These should be in a place where the client cannot access them. That being said, the index.php needs to be public (obviously?) and a few other files, depending on your CMS. Everything else could be in a folder that Apache does not give access to the client. Then the permissions become much less problematic.
Say you have a folder named public_html where Apache as access, you could have a structure that looks like this:
/var/www/example.com
/var/www/example.com/php -- put your PHP scripts here
/var/www/example.com/data -- whatever data files (XML, templates, non-public)
/var/www/example.com/public_html -- only folder accessible by Apache
/var/www/example.com/public_html/index.php -- the PHP that handles the CMS
Now... The ownership, unless you use a CMS like WordPress which wants to auto-update itself, the files need to be writable by the Apache2 user (www-data for Ubuntu). In all other cases, you should set the user and group to a different user than www-data and make sure that Apache does NOT have permission to modify those files. Make sure it can read them (maybe other has the 'r' for files (644) and 'r-x' for directories (755).)
Say you use rsync to do your updates and give rsync permission to write files as user www. Now you could make all those files be owned by www and not www-data and the update will work just fine.
Obviously, if you have an upload feature which saves files to your web server, then that directory needs to be writable by www-data. Also those files should be backed up (like your database) since they are accessible (read as: hackable) by clients. Since you have an intranet, it may be less of a concern, although most large businesses report that most of their data losses are because of staff working there and not hackers from the outside. Something to keep in mind.
Something like this work work for such files:
mkdir /var/www/example.com/public_html/download
chown www-data:www-data /var/www/example.com/public_html/download
chmod 775 /var/www/example.com/public_html/download
The path to those files can be different as the CMS sees fit, although the actual files could be in one large directory (it is fast whatever the number of files).
Related videos on Youtube
16 : 42
14 : 19
10 : 29
01 : 29
03 : 17
Phatair
Updated on September 18, 2022Comments
-
Phatair over 1 year
I have a php script which run a private social network. It's running on a Ubuntu 16.04.03 with an mariadb and apache 2 and php7 config.
I have created a new folder in /var/www/myscript and copied all files in this folder.
My question is now, what permissions are necessary to make the config safe. Is it safe to set all files to 640 and all folders to 750 and owner and user to www-data?
I found this tutorial, http://fideloper.com/user-group-permissions-chmod-apache The permissions looks different, are these permissions good, too?
It would be great if someone can help me. Thank you very much. Best regards
-
Admin over 6 yearsWe typically don’t review other manuals and how to’s but take a look at this canonical Q&A serverfault.com/q/357108/37681
-