File Permissions for Apache (Ubuntu, Linux)

I find myself Googling this all the time – setting permissions and users/groups for the /var/www folder of a LAMP install.  Also, I break down some of the terminal commands a little.  In my experience, many web developers tend to touch the command line every so often but never get really comfortable understanding what they are actually doing. So here we go, for my benefit and yours:

Find your main user name (the one you will SSH and SFTP with).  For AWS (my most commonly used) with an Ubuntu EC2 install, it is ‘ubuntu‘ and for Vagrant boxes it is ‘vagrant.

We need to add this user to the www-data group so they can share permissions.  Apache runs in the www-data group, and Apache’s ‘run as’ user will be the one creating and executing files within the /var/www folder (read: uploads, online edits, etc).  We also use sudo with all this to avoid any permissions errors before setup is complete.

The command usermod allows us to change users’ settings.  The flag -a means ‘append’ and must be used in conjunction with -G (list of groups).  Then we tell the -G what groups, then what user we are modifying;

sudo usermod -a -G [group-name] [user-name]

For AWS with Ubuntu:

sudo usermod -a -G www-data ubuntu

Next, we need to change group ownership of the /var/www folder (and everything inside it) to www-data (so we can all share permissions within the group).  the command chgrp performs this task, with a flag -R to mean recursively apply this group, followed by the folder we are applying the group to:

sudo chgrp -R www-data /var/www

Finally, set permissions on folders and files for everything in the /var/www folder. We will use 644 for files and 755 for directories (this is standard). If you need special permissions, run these commands first, then apply special permissions to whichever files and directories need it after the fact.

We use the command chmod to perform this action (see link – we will use numeric permissions, as I prefer this method).  However, chmod has a caveat – it has a -R recursive flag, but we want to apply different permissions depending on whether we are working with a folder or a file. Chmod does not have the ability to differentiate between files and folders, so instead we use the find command in conjunction with the exec command.

Reading from left to right, the logic is to find everything in /var/www that is a particular type (a filter flag for find, –type, followed by d for directory and f for file), the execute an arbitrary (inline) command on it.  We will execute chmod, setting our permissions accordingly.

sudo find /var/www -type d -exec chmod 755 "{}" \;
sudo find /var/www -type f -exec chmod 644  "{}" \;

That last bit with the quotes and curly braces tell -exec that we are working on the current path, which will change while the find command loops and executes the chmod command on every search result.  So say we find index.php – exec then runs

chmod 644 index.php.

Since the entire command is prefaced with sudo, it will actually run:

sudo chmod 644 index.php.

There you have it, permissions are ready to go.