How do I set permissions for a web server directory?

Projects NGINX
,
1

Hello,
I have three websites that exist in the following directory:

$ ls /var/www/html/
branch-view  portal  portal-view

The portal directory is the Laravel project and the other two are React. In Laravel project, the user has to upload the file and its directory is /var/www/html/portal/storage.

I did:

# /sbin/usermod -aG www-data devops
# chmod -R g+w /var/www/html
# chmod g+w /var/www/html/*
# chmod -R 777 /var/www/html/portal/storage
# newgrp www-data

On the internet I found the following advice:

Assign the Nginx user as the owner of your website files:

# chown -R www-data:www-data /var/www/html

Directories: 755 (read/execute for others):

# find /var/www/html -type d -exec chmod 755 {} \;

Files: 644 (read-only for others)

# find /var/www/html -type f -exec chmod 644 {} \;

How do I apply the correct permission?

Thank you.

1 Like
2

Hi there! I’ve moved your post over to "How Do I...?" so that you are more likely to receive the help needed. Thanks!

3

Let me try to see if I can shed any light. Note: I am not and NGINX guru nor a Laravel guru.

NGINX will need to read and serve all files. Laravel (PHP-FPM) has to read and serve the storage directory. At the same time, we need to think about security and DevOps access.

You added devops to the www-data group.
You gave full write permission to all the files and directories. This might be a security risk.
You gave everyone open permissions to storage. This is not optimal.
The newgrp command does not affect NGINX (practical for terminal access, though).

So, changing things around, you can try:

  1. Set the correct ownership
    sudo chown -R www-data:www-data /var/www/html

  2. Set base permissions for directories (owner: rwx, group: rx, others: rx)
    sudo find /var/www/html -type d -exec chmod 755 {} \;

  3. Set base permissions for files (owner: rw, group: r, others: r)
    sudo find /var/www/html -type f -exec chmod 644 {} \;

  4. Grant write permissions for Laravel’s storage directory (owner/group: rwx, others: rx)
    sudo chmod -R 775 /var/www/html/portal/storage

  5. Make all directories executable for the web server (important for navigation)
    This was implicitly handled by 755 for directories, but it’s good to double-check
    sudo find /var/www/html -type d -exec chmod a+x {} \;

  6. Allow devops user (via www-data group) to write to website files
    This makes directories have rwx for group and files have rw for group
    sudo find /var/www/html -type d -exec chmod g+w {} \;
    sudo find /var/www/html -type f -exec chmod g+w {} \;

Optional: Set the setgid bit on directories so new files/dirs inherit the www-data group
sudo find /var/www/html -type d -exec chmod g+s {} \;

Restart NGINX and Laravel.

Please let me know if this works or if there are any other blockers.

davemc

1 Like
4

Hello,
Thank you so much for your reply.
I will test it and inform you.

1 Like
5

Hello,
I did:

$ sudo chown -R www-data:www-data /var/www/html
$ sudo find /var/www/html/branch-view -type d -exec chmod 755 {} \;
$ sudo find /var/www/html/branch-view -type f -exec chmod 644 {} \;
$ sudo find /var/www/html/branch-view -type d -exec chmod a+x {} \;
$ sudo find /var/www/html/branch-view -type d -exec chmod g+w {} \;
$ sudo find /var/www/html/branch-view -type f -exec chmod g+w {} \;
$ sudo find /var/www/html/branch-view -type d -exec chmod g+s {} \;

After this, the permission is as follows:

$ ls -l
total 12
drwxrwxr-x 16 www-data www-data 4096 Jun  1 22:58 branch-view

Then:

$ nohup npm run dev > next.log 2>&1 &
$ cat next.log 
nohup: ignoring input

> vristo-next@0.1.0 dev
> next dev -p 3001

sh: 1: next: Permission denied

This means the permission was not applied correctly:

$ ls -l /var/www/html/branch-view/node_modules/.bin/next
lrwxrwxrwx 1 www-data www-data 21 May 31 23:10 /var/www/html/branch-view/node_modules/.bin/next -> ../next/dist/bin/next

I used the following command to fix the problem:

$ sudo chmod +x /var/www/html/branch-view/node_modules/.bin/next
1 Like
6

Did this correct your problem, and are you now able to run?

davemc

2 Likes
7

Hello,
Thanks again.
Yes. In your opinion, is everything OK?

1 Like
8

As far as I can tell.

Glad it all worked out. And I hope to see you around the forum again!

davemc

2 Likes
9

Hello,
Thanks again.
What happens if the permissions of the files and directories are root or devops? For example:

$ ls -l
total 12
drwxrwxr-x 16 root root 4096 Jun  1 22:58 branch-view

Can’t users view the website through a browser?

10

If NGINX can read the files, users should be able to view the website from any browser. Whether that can happen if you set the permissions to root or devops fundamentally depends on how you setup your user/group permissions.

2 Likes
11

Hello,
Thank you so much.

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.