New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WebRoot Permissions (chown -R www-data:www-data mydir)
fresher_06
Member
I have installed nginx by creating a demo user with sudo rights and disabling the root now on Debian 6 Server using the script - http://www.lowendtalk.com/discussion/3965/leb-setup-script-for-debian-6-vps-nginx-mysql-iptables-etc/p1
But I am confused as in what should be the permissions of the directories within the Webroot at /var/www/mysite/public/mymainsitedirectory
I have logged in using the demo user and then do I need to do
sudo chown -R www-data:www-data mymainsitedirectory
, which will change the ownership of all the files/directories within mymainsitedirectory.
Is this the right way ? or I am missing something..
Comments
777 Recursively = jackpot... just not for you but anyone looking to exploit you.
In a nutshell, 777 is a copout and you should learn to use permissions properly.
@fresher_06 in regards to the web root, what I usually like to do on a system such as debian is:
1) Create an unprivilaged user, this could be say 'karl' or whatever, and make them belong to the www-data group. So that if I were to login as karl and create a web root in say /home/karl/www/ , all the files will be owned by karl:www-data
2) Set up nginx as the user www-data in nginx.conf
3) Set up PHP-FPM to run as www-data
4) Place your files in /home/karl/www/[domain name maybe]/public_html/, upload as 'karl' so you don't have to chown everything again.
By default folder permissions are typically 0755 (owner can execute/read/write, group can read/execute, other can read/execute), but in this set up it could be 750.
By default files are 644 (owner can read/write, group can read, other can read).
When you want to grant something to say php-fpm since it is running as www-data, say for example you need to make a folder writable, from the default you would change from 644 to 664, now both owner and group can write to it, but other (outside of the owner[karl] and group[www-data]) cannot write to it (short of say root or those in wheel group).
Octals are basically
1 = execute, 2 = write, 4 read, 0 none
7 = 1 + 2 + 4 = execute + write + read
Also the reason for number 1 above, is if you use an SFTP client or such to login to make changes to your file (ie: root should never be left open, password authentication should normally be off for root), then if someone were to gain access to the 'karl' login they could only affect the files owned by that user as opposed to say what root owns, it's not just php scripts to worry about.