Apache Web Server

Permissions

Draft: Example for tight webspace permissions

User's comment:

Linux file permissions are complex and this section is confusing and seems wrong to me. Don't you need to set permissions recursively (with e.g. chmod -R)? When setting up a web space I always try to be as precise as possible about the file permissions so that they might act as last line of defense in case the web server config is too permissive.

For most/any Linux systems (not only Debian) I think the precise restrictive procedure on fresh installation would be:

Untar the installation package to your web space.

yourwebspace> chown -R <you>:<webserver_group> yourwiki/
yourwebspace> chmod -R 640 yourwiki/
yourwebspace> chmod -R ug+X yourwiki/ (This will make only directories executable/descendable.)

At this point the wiki directory and all directories and files inside it are owned by you with group set to webserver's group. This means, for now the webserver can read the wiki directory and all files and directories in it. No write permissions yet, since write access must be only given to directories and files where it is really needed. Now the webserver needs specific write permissions:

yourwebspace> cd yourwiki/
yourwebspace/yourwiki> chmod -R g+w data/ conf/ lib/plugins/ (This gives webserver write access to the necessary directories.)