As a self-taught server maintainer, often times I have to set up a server for my websites. During my early years, I have a difficulty on determining which file/folder permission to use on particular files. At first, using root account to manage web server files was what crossed my mind, but then I gave up the idea because using root is SUPER BAD practice, not just as administrator, but also as a user. Not until later that I finally found a simple formula on how to cope up with this problem.
In this article, I would first emphasize that your server is Linux, preferably Debian based, but should work for most other linux server distribution. Server software can be using NGINX, APACHE, LITESPEED, or others.
Oh, you need to first understand the concept of ownership in linux, if not, well just wait, I might explain it later on separate articles.
Lets agree on the background condition first. Lets say that your web server path is /webserver/www/mywebsites.com/ , files will vary from .php, .html, .css, .jpeg, etc. Your username is sovereign, and you're a member of group www-data (a commonly group who have access to web files inside your webserver)
You can not change what you don't have. So the first thing to do is to change ownership of your web directory. For this case, we put:
chown -R sovereign /webserver/www/mywebsites.com/
This command will (-R) recursively give ownership of the whole directory and all it's content, to user named sovereign, you may use ls -al inside the directory to check if the command has been executed successively.
Grant the Universe
Next, you need to change group owner, to be the same as web server's group owner.
chgrp -R www-data /webserver/www/mywebsites.com/
In this command, the whole directory and it's contents, will belong to group www-data.
Laying out Foundation
Next, setting out the base permission for all files.
chmod -R 750 /webserver/www/mywebsites.com/
This command sets the permissions: read, write and execute (7) for user owner (sovereign), whilst read and execute (5) for the group owner (www-data), and for the others, we ain't giving nothing for them (0).
Reaffirm the Foundation
Now we make sure that all files/folders created within the directory, will take on the group ownership of the parent folder, in which the owner of new files nor folders will always be sovereign, and the group owner will always be www-data, with this command
chmod g+s /webserver/www/mywebsites.com/
The universe is yours.
Is that it? well practically the foundation for a proper web files and folders has been set. Now all you need to do is to modify which folders need particularly different set of permission. Let's take an example if you have folder image and want your visitor to be able to upload image into it, use:
chmod g+w /webserver/www/mywebsites.com/image
The command above, grants webserver an additional "write" permission towards your "image" folder.
CAUTION: on some cases, apparently on most cases, you (or your user, thus, sovereign) don't even have the rights to execute the very first command above, and that is where you need the help of
root account or simply add
sudo in the beginning of each command. Remember, use
sudo with high caution, make sure all command, spaces, capitals, hypens, are on the right and intended place before you hit ENTER.
That's all folks, at least for now. Oh, check out an in-depth reading at Servervault.