Why do /var/www/ require 755 permissions? Why isn’t chown after 700?
The directory where my Apache files are stored is /var/www.
If I run,
sudo chown -R www-data:www-data /var/www
This makes www-data the owner of the www folder. Since all static/dynamic files will be served by the Apache user, why do I need 755 permissions for that folder now? It should only need to provide 700 permissions, right? With 700 permissions, the owner (www-data) has full permissions to the folder.
So my question is, why do I need to run :
sudo chmod -R 755 /var/www
sudo chmod -R 700 /var/www
EDIT: I didn’t encounter any errors. I ask this question just for knowledge. A lot of people have suggested that I set 755 permissions on the /var/www/ folder. Just wondering why I can’t use the 700.
The optimal layout depends on several factors. This is primarily a security issue. Here are some things to consider:
1) Do you want your web server to be able to write files to your DocumentRoot? Most of the time the answer is no… In addition to uploading directories and things like that. In this case, you need something like 755, where the owner/group is not the user used by the Apache runtime.
2) Do you have a local user account (such as a developer) that should be able to access the content? If so, you may need permissions like 755, root:developers, Apache running as “www-data” or “apache”, not in a group (subject to #1 above).
3) Do these developers need to be able to edit content (do code pushes)? In that case, maybe 775 root:developers is better.
The main problem with the 700 is that it requires the owner to be the user running Apache, and this gives it full permission to modify any file in DocumentRoot. This is generally considered a security vulnerability because, in general, Web servers should not modify files in DocumentRoot except in very specific exception cases.
A common exploit is for an attacker to trick your web application into uploading something like a malicious PHP script somewhere in DocumentRoot and then visiting the page. One countermeasure is to prohibit Apache from writing to DocumentRoot with this file system permission.