Here’s where I’m currently at re: file permissions for web directories on Linux, based on having commissioned a few VPS accounts and ripping off this Serverfault post. As root/superuser, all together now:
# Create new user (implicitly creates new web-admin group, too) # This is the user who'll SFTP files to the server useradd web-admin # Allow web-admin to become spueruser... maybe they're the only account that can SSH in from remote? adduser web-admin sudo # Add password passwd web-admin mkdir /home/web-admin # Hop over to where your web files are stored cd /var/www # Set your website directory's OWNER to your new user chown -R web-admin mysite-directory # Set your website directory's owning GROUP to www-data (so Apache can access it) # Use ps command to find out what group Apache runs as... # Use /etc/apache2/apache2.conf to define it. ps aux | grep apache # or maybe .... grep httpd? chgrp -R www-data mysite-directory # Set permissions of all files/folders to owner -> all, group ->read-only, anon -> NONE chmod -R 750 mysite-directory # Make files/directories within mysite-directory inherit the DIRECTORY'S # permissions - not those of the user who creates the files. # This means user web-admin can upload, and group www-data can read chmod -R g+s mysite-directory # Enable group write on file upload directories chmod -R g+w mysite-directory/application/file-uploads # Use system-level umask to lock down default permissions of created files: umask 027
Whoever wrote the Serverfault post I ripped this off of, is super-cool.