Securing a Web site with the proper file permissions

O.K. so you have Apache all set up and serving to the files all the files in your /www folder (or wherever). The question is, what would be the appropriate file permissions. This entry assumes you already know how Unix file permissions work and how to change them).

Setting the permissions is a three-part process. One part would be for the directories, and the second part for the files themselves. The third part is to deal with the exceptions.

With directories, the common wisdom seems to be to use "rwx--x--x", or "711" numerically speaking. This means all visitors can access documents within the directories, but can't view or write to the directories themselves (if, for some reason, you wish to expose the contents of the directories, use "rwxr-xr-x" --or "755").

In order to recursively change all the directories in your Web folder, you would use this command, from the root directory for your Web site:

find . -type d -exec chmod 711 {} \;
Thanks to the Movable Tripe for providing the above command.

For extra-added protection, you may want to place an index.html file of some sort in each directory. Then, if for some reason the directory permissions get changed to where outside folks can read them, when someone just enters the directory name in the browser (i.e. "http://www.site.com/DirectoryName"), then what will be returned will be the contents of the index.html file, rather than a listing of the directory.

Individual files, or Web pages should have a permission setting of "rwxr--r--" ("744"), which gives the owner full read, write and execute privileges, though others only read permissions. The command from the home directory to change all file permissions, but not directories, would be:

find . -type f -exec chmod 744 {} \;
Thanks again, Movable Triple

Finally, there are exceptions you should consider, depending on what advanced functionality you have on your site. First, there is PHP to think about: While PHP files work with the above permission sets, if you write to a ext file on the site, write permission needs to be added to those files.

Secondly, there is blog software, which in most cases requires residency in your Web directory structure, and needs write and execute permissions in certain places. Wikis also require some write permissions in selected folders.

Finally, please keep in mind that this post does not take into consideration issues of who owns the files (the file "owner") or groups. That is a topic for another post

Back