I'm trying to figure out the best file permissions/user/groups for files under my document root? I have the following file structure with /home/user/public_html holding all my php files and directories. Inside that, I have one directory /home/user/public_html/files/where people upload images to.
What is the most secure way to distribute file permissions/groups/user so that apache can properly display the php files and directories?
Should I make public_html owned by apache? What group should I use for public_html?
Is this server used by any others, or just yourself (ie. is it dedicated or shared).
Generally, best practice is
rwxfor the owner and read-only for anyone else. If you are running PHP as mod_php (without a custom Apache build, eg. mpm-per-child), then you'll want www-data/apache (whoever Apache is running as) to have fullrwxaccess, the FTP/SSH user will also needrwxaccess.So its likely to make the owner your FTP/SSH user with
rwx, the group the Apache user withrwxand just read-only or nothing at all to everyone else.Eg. 774 or 770
Again, if your FTP/SSH user is not the same as your PHP/Apache user then you'll want to make sure your file permissions stay as they should be, even when each respective user creates new files.
To use the above commands, you'll need to make sure that you enable ACLs for your active partition, see http://www.vanemery.com/Linux/ACL/linux-acl.html
But it would be preferred to use PHP-FPM, then you can run the PHP instance as a specific user (and more), and no more permissions headaches.