Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

WebRoot Permissions (chown -R www-data:www-data mydir)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WebRoot Permissions (chown -R www-data:www-data mydir)

fresher_06fresher_06 Member
edited November 2012 in Help

I have installed nginx by creating a demo user with sudo rights and disabling the root now on Debian 6 Server using the script -

But I am confused as in what should be the permissions of the directories within the Webroot at /var/www/mysite/public/mymainsitedirectory

I have logged in using the demo user and then do I need to do

sudo chown -R www-data:www-data mymainsitedirectory

, which will change the ownership of all the files/directories within mymainsitedirectory.

Is this the right way ? or I am missing something..


  • sudo chmod -R 777 /var/www
  • kbeeziekbeezie Member
    edited November 2012

    777 Recursively = jackpot... just not for you but anyone looking to exploit you.

    In a nutshell, 777 is a copout and you should learn to use permissions properly.

  • kbeeziekbeezie Member
    edited November 2012

    @fresher_06 in regards to the web root, what I usually like to do on a system such as debian is:

    1) Create an unprivilaged user, this could be say 'karl' or whatever, and make them belong to the www-data group. So that if I were to login as karl and create a web root in say /home/karl/www/ , all the files will be owned by karl:www-data
    2) Set up nginx as the user www-data in nginx.conf
    3) Set up PHP-FPM to run as www-data
    4) Place your files in /home/karl/www/[domain name maybe]/public_html/, upload as 'karl' so you don't have to chown everything again.

    By default folder permissions are typically 0755 (owner can execute/read/write, group can read/execute, other can read/execute), but in this set up it could be 750.

    By default files are 644 (owner can read/write, group can read, other can read).

    When you want to grant something to say php-fpm since it is running as www-data, say for example you need to make a folder writable, from the default you would change from 644 to 664, now both owner and group can write to it, but other (outside of the owner[karl] and group[www-data]) cannot write to it (short of say root or those in wheel group).

    Octals are basically
    1 = execute, 2 = write, 4 read, 0 none
    7 = 1 + 2 + 4 = execute + write + read

    Also the reason for number 1 above, is if you use an SFTP client or such to login to make changes to your file (ie: root should never be left open, password authentication should normally be off for root), then if someone were to gain access to the 'karl' login they could only affect the files owned by that user as opposed to say what root owns, it's not just php scripts to worry about.

Sign In or Register to comment.