Why Are File Permissions on a Web Server Important?
File permissions control:
- Who can read, write, or execute your files.
- What your web server can serve to visitors.
- What an attacker can steal or modify if something is misconfigured.
If your permissions are too loose:
- People might download sensitive files (like your
db_config.php with database passwords!).
- Hackers might upload malicious files (like backdoors or malware).
- Attackers might overwrite your files (deface your website or inject malware).
- If a file has execute permissions when it shouldn’t, it could be used to run unauthorized code.
What Can Go Wrong if Permissions Are Wrong?
| Problem |
What Happens |
World-readable sensitive files (db_config.php, .env) |
Hackers can steal your database passwords and access your data |
| World-writable files (666) |
Hackers can modify your website, upload web shells, deface it |
| Executable files that shouldn't be |
Hackers can run unauthorized scripts on your server |
| Directory listing allowed |
Hackers can browse your folders, find hidden files |
| Bad PHP config + world-readable |
PHP code could leak (e.g., users see the source code if PHP isn't properly executed) |
Examples of Real Security Mistakes
- Misconfigured server shows
db_config.php because PHP stopped working → attacker sees DB password → database hacked.
- Writable upload folders not protected → attacker uploads
shell.php → remote code execution → full server control stolen.
- No directory permission restrictions → attacker finds
/admin/hidden_config/ directory and downloads admin tools or private keys.
- Too much file access → one hacked site on a shared server can affect other sites via symlinks or cross-site attacks.
How Good Permissions Protect You
| Item |
Correct Permission |
Why |
| HTML, CSS, JS, images |
644 (rw-r--r--) |
Everyone can read (browser needs it), only owner can write |
| PHP files |
600 (rw-------) |
Only server (www-data) can read them; prevents leaking sensitive code |
| Directories |
755 (rwxr-xr-x) |
Server can enter directories, others can list but not modify |
Sensitive configs (db_config.php, .env) |
600 |
Locked to owner only |
Bottom Line
- Bad permissions = open door to hackers 🔓
- Good permissions = another locked gate 🔒 on top of your firewall, SSL, authentication, etc.
Recommended Ownership and Permissions
| Item |
Should Be |
Why |
| Owner |
www-data |
Web server can read files safely |
| Group |
www-data |
Web server group has access |
| Permissions (files) |
644 (rw-r--r--) |
Owner can edit, public can read |
| Permissions (folders) |
755 (rwxr-xr-x) |
Owner can edit/traverse, public can read |
Commands to Secure Web Server Files
sudo usermod -aG www-data ubuntu
sudo chown -R www-data:www-data /var/www/
sudo find /var/www/ -type f -exec chmod 644 {} \;
sudo find /var/www/ -type d -exec chmod 755 {} \;
sudo find /var/www/ -type f -name "*.php" -exec chmod 600 {} \;
Automation Scripts
Reset Web Permissions
nano ~/reset_web_permissions.sh
#!/bin/bash
sudo chown -R www-data:www-data /var/www/
sudo find /var/www/ -type d -exec chmod 755 {} \;
sudo find /var/www/ -type f -exec chmod 644 {} \;
sudo find /var/www/ -type f -name "*.php" -exec chmod 600 {} \;
echo "✅ Permissions locked for /var/www/"
Open Web Permissions (for editing)
nano ~/open_web_permissions.sh
#!/bin/bash
sudo chown -R ubuntu:ubuntu /var/www/
sudo find /var/www/ -type d -exec chmod 755 {} \;
sudo find /var/www/ -type f -exec chmod 644 {} \;
sudo find /var/www/ -type f -name "*.php" -exec chmod 600 {} \;
echo "✅ Permissions opened for /var/www/"
Make Scripts Executable
chmod +x ~/open_web_permissions.sh
chmod +x ~/reset_web_permissions.sh
Run the Scripts
./open_web_permissions.sh
./reset_web_permissions.sh
