I have a CodeIgniter app running in production on Apache 2.2 with PHP 5.3 on Ubuntu 11.10. I am also running PHP5-APC, if that matters. So the app runs as www-data:www-data per the default Apache2 install.
I am trying to figure out what to set my file permission to. Many threads on SO seem to prefer 755 for directories and 644 for files. There is one directory that must allow files to be uploaded to it.
Currently my deployment script does something like this:
- wipe old site
- copy new site over
chmod -R 000on the new sitechmodall directories to500chmodall files to400chmod 700on the upload directory
Everything seems to work fine. I can upload files and so on.. so, I don’t understand why people suggest 644 for files – I have a config file that has passwords and API keys – why would I want ‘others’ to have read-access to it?
What am I misunderstanding?
Well, mainly the
644permission is meant for when you have/var/www/site1.comwith different user and group set thenwww-data, because then the644would allow other groups and users to read from that file, but will allow to read and write the owner of the file.As by default the user that uploads files and runs apache’s processes is
www-datathen I honestly think that if it works for you and you have no issues, it’s great because means a little more security.Update
Just a small security issue, is that
www-datahas become a very common user and group forhttpservices to run their processes. I would much recommend that each site/app have their own user and group.