Optimal Unix File Permissions for Web Applications: Security Best Practices and Common Directory Scenarios


3 views

When configuring Unix permissions for web applications, we must balance security with functionality. The standard octal permission system consists of three digits representing owner, group, and others permissions respectively. Each digit combines read (4), write (2), and execute (1) flags.

Here's a detailed breakdown of optimal permissions for common web application directories:

1. User Upload Directory (Public Static Files)

Recommended: 755 (rwxr-xr-x)

chmod 755 /var/www/uploads/public

Rationale: Web server needs full access (read/write/execute for owner), while others only need read/execute to serve files. Execute bit is required for directory traversal.

2. Admin Upload Directory

Recommended: 750 (rwxr-x---)

chmod 750 /var/www/uploads/admin

Rationale: Similar to public uploads but restricted to owner and group (web server group). Prevents unauthorized access to admin content.

3. Library Directory

Recommended: 555 (r-xr-xr-x)

chmod 555 /var/www/libs

Rationale: Libraries are included by server-side scripts but shouldn't be modified. Execute permission allows inclusion.

4. Server-Side Scripts Directory

Recommended: 750 (rwxr-x---)

chmod 750 /var/www/cgi-bin

Rationale: Web server executes scripts but shouldn't modify them. Group permissions allow shared access in multi-developer environments.

5. Server-Writable Data Directory

Recommended: 770 (rwxrwx---)

chmod 770 /var/www/data
chown www-data:www-data /var/www/data

Rationale: Web server needs full access (read/write/execute). Group permissions enable maintenance scripts to modify files.

  • Set correct ownership: chown www-data:www-data /path for web server access
  • Use umask 0027 for new file creation
  • Consider filesystem ACLs for complex permission scenarios
  • Regularly audit permissions with find /var/www -type d -exec ls -ld {} \;
#!/bin/bash
# Web directory permission setter

WEB_ROOT="/var/www"
APACHE_USER="www-data"

# Set ownership
chown -R ${APACHE_USER}:${APACHE_USER} ${WEB_ROOT}

# Set directory permissions
find ${WEB_ROOT} -type d -exec chmod 755 {} \;

# Special directories
chmod 750 ${WEB_ROOT}/admin
chmod 770 ${WEB_ROOT}/data
chmod 555 ${WEB_ROOT}/libs

# Set file permissions
find ${WEB_ROOT} -type f -exec chmod 644 {} \;
find ${WEB_ROOT}/cgi-bin -type f -exec chmod 750 {} \;

When configuring a web application, directory permissions must balance accessibility with security. Here's a technical breakdown of recommended settings:

# Common permission schemes in octal format
USER_UPLOADS=755
ADMIN_UPLOADS=750
LIBRARIES=555
SCRIPTS=750
EDITABLE_FILES=640

1. User Upload Directory (public files)

Recommended: 755 (rwxr-xr-x)

chmod 755 /var/www/uploads/public

Rationale: Web server needs execute to traverse directory. Users only need read access to download files. Write permission reserved for upload process (often handled through separate mechanisms).

2. Admin Upload Directory (privileged content)

Recommended: 750 (rwxr-x---)

chmod 750 /var/www/uploads/admin
chown www-admin:www-data /var/www/uploads/admin

More restrictive than public uploads. Group access for web server process, but prevents other users from viewing admin content.

3. Library Directory

Recommended: 555 (r-xr-xr-x)

chmod 555 /var/www/libs
find /var/www/libs -type f -exec chmod 444 {} \;

Execute needed for directory traversal. Files should generally be read-only (444). Consider making the directory immutable if possible:

chattr +i /var/www/libs

4. Server-Side Scripts Directory

Recommended: 750 (rwxr-x---)

chmod 750 /var/www/cgi-bin
find /var/www/cgi-bin -type f -exec chmod 750 {} \;

Execution required for scripts. Group permissions should match web server's group (typically www-data).

5. Server-Editable Files

Recommended: 640 (rw-r-----)

chmod 640 /var/www/config
chown www-admin:www-data /var/www/config/*

Web server needs read access, but only the owner (admin) should have write permissions.

SUID/SGID Flags

Avoid these on web directories:

find /var/www -type d -perm /g+s,u+s -ls

Sticky Bit for Shared Directories

Useful for multi-user environments:

chmod 1770 /var/www/shared-tmp

ACLs for Fine-Grained Control

Example for PHP uploads:

setfacl -Rm u:www-data:rwX,d:u:www-data:rwX /var/www/uploads
setfacl -Rm u:deploy:rX,d:u:deploy:rX /var/www
  • Never use 777 permissions
  • Avoid world-writable directories (666/777)
  • Don't mix content types in same directory
  • Ensure proper ownership (chown/chgrp)

Sample Bash script for permission hardening:

#!/bin/bash
WEB_ROOT="/var/www"
find $WEB_ROOT -type d -exec chmod 750 {} \;
find $WEB_ROOT -type f -exec chmod 640 {} \;
chmod -R 750 $WEB_ROOT/bin
chmod -R 550 $WEB_ROOT/libs
chmod -R 750 $WEB_ROOT/uploads
chown -R www-admin:www-data $WEB_ROOT