Who should own Public_HTML?

So after a vanilla LAMP install on 11.04, Ive got my web directory in:


My question is what should the group and user be set to on public_html? By default it was root and root post installation but recently I set it to my standard user account out of lazyness to create and edit files in there, is this safe to do?

It still serves the pages ok but I wasn't sure if www-data was supposed to be in charge or what? Any advice or tips much appreciated!

11 Replies

Ownership doesn't really matter except under the following circumstances

1) You're using Suexec which requires the owner and executor are the same

2) Your web server needs to write files it tends to be wise to set the owner to www-data if you want to update wordpress for example

3) You're running a multi user environment, then the group sgid bit comes in handy

I tend to keep ownership to the user I sftp in as. But I don't run wordpress, suexec and work in a single user environment

Thank you for the answer!

So would it be practical to set www-data to group and owner and then add my standard user to www-data group or is that frowned up then?

If you want your web server to write to the site and you want your user to write to it I'd create a group say called "sitewritable" and add the web server and my user to that group then chgrp -R serverwritable /path/to/files; chmod -R g+w /path/to/files; find /path/to/files -t d -exec chmod g+s {} \; which sets the group, gives the group write permissions and sets the gid on execution of folders so new files should have group write perms

> I'd create a group say called "sitewritable" and add the web server and my user to that group then

Why do this when there is already something in place.

In ubuntu/debain it is:

group: www-data

user: www-data

Just do this:

sudo chown -R www-data /var/www/


Just do this:

sudo chown -R www-data /var/www/

Don't do that.

If an exploit is discovered in a script you run then it could possibly be used to delete/overwrite every file and directory on the site.

www-data ownership should be assigned only under specific and controlled circumstances.

For most files and directories, assigned ownership to the shell user who maintains them.

Still not clear for me :(

Who should own the public_html/ ??? I have it with root…

It depends on your setup.

I run everything through modsuxec. This way all PHP, CGI, etc process are run as the user that owns the virtual host. I also give publichtml ownership to that particular user. All this eliminates the need to give o+w permission when a web site needs to write to a file, and adds a mediocre level of security by making sure no website actually runs as the Apache user.


Still not clear for me :(

Who should own the public_html/ ??? I have it with root…

If you administer the content in publichtml, and you login to system as 'fernandoch', then the publichtml directory and its content should be owned by user 'fernandoch'.

If a directory needs to be writeable by the webserver (e.g. for web-based uploads) then you have a choice of either: (a) changing permissions or ownership on the uploads directory to make it writeable; or (b) use suexec as saman007uk says, so that the upload script runs as user 'fernandoch' and has permission to write to the uploads directory, which is owned by user 'fernandoch'.

So it should not be the same user as apache's user?

And for sure not root?


And for sure not root?

So it should not be the same user as apache's user? Depending on your setup. Basically the permissions need to be setup such that the Apache user can read any static data that you want available online.

What do you guys think about this

# or B. More secure (recommended). Allow writting only in places Joomla! needs to write to (more secure)
sudo chown -R root:root /var/www/joomla
cd /var/www/joomla
for i in $PLACES; do
    sudo chown -R www-data:www-data $i

Taken from here https://help.ubuntu.com/community/Jooml … ess_Rights">https://help.ubuntu.com/community/Joomla#ConfigureAccessRights


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct