What should the Unix file system permissions be for PHP files under Apache?

What is the best practice for permissions with PHP files? When should they be writable, or executable? What owner is best? I'm using an Apache server.

99.2k 18 18 gold badges 139 139 silver badges 362 362 bronze badges asked Jun 27, 2011 at 17:13 Kirk Strobeck Kirk Strobeck 141 1 1 gold badge 1 1 silver badge 5 5 bronze badges Are you talking about the file permissions of the web server (eg: apache)? Commented Jun 27, 2011 at 17:07 great, thnx for the tip Commented Jun 27, 2011 at 17:12

You need to provide more details, how are you uploading your files? (SSH/SFTP, FTP, controlpanel?, . ) You mentioned ownership, do you have root access to the box? What user is Apache running? If possible, what distro are you using? See also webmasters.stackexchange.com/q/13658/6597

Commented Jul 2, 2011 at 8:10 Also see What permissions should my website files/folders have on a Linux webserver? on Serverfault. Commented May 28, 2016 at 17:00

7 Answers 7

PHP scripts should be editable by the owner, readable by a group the apache user is in, and optionally readable by anyone. They don't need to be executable. Ideally, most of the php scripts should be outside of a web-accessible folder, especially any configuration files. This way even if there is a problem with the apache configuration, your php files will never be exposed to the web. Often you'll just have an index.php page which calls require_once() on a script in the protected directory outside the web-accessible folder. A .htaccess file rewrites all incoming requests so that they go through the index.php, which then uses the router in the protected directory to figure out what to serve.

answered Jun 27, 2011 at 17:43 Bob Baddeley Bob Baddeley 396 1 1 silver badge 4 4 bronze badges

I like this answer but could you expand with some ie. 0777, 755, 655 kind of numbers, I need to know how to actually set the files

Commented Jul 5, 2011 at 16:21

@Kirk Strobeck: editable (read/write) by the owner, readable by a group, and readable by anyone = 644

Commented Jul 5, 2011 at 17:29

as Marco said, permissions go in order of owner, group, anyone, where read is 4, write is 2, execute is 1, and you add them together. So if you want something read only, it would be 4. If you want read and write, it's 6 (4+2), and if you want all permissions, it's 7 (4+2+1). Most php files will have 644 because the owner has to be able to edit it, everyone needs to be able to read it, and nobody needs to execute it (in the strictly unix sense. php is the executable and it's reading the files, parsing them, and doing stuff with them, so unix isn't actually executing them).

Commented Jul 5, 2011 at 18:38

also, the 0 at the beginning is optional and useless. It's just saying the number is octal, but since permissions never go above 7, it's pointless to specify.

Commented Jul 5, 2011 at 18:39

it's still not clear how to deal with php upload routines? if we have 644 permissions for files and 755 for directories, php won't be able to write to project directory. if we set 775 permission for folder, httpd will be able to write, but the files it creates will have httpd owner and it will be impossible to modify them using regular user account.

Commented Jul 14, 2015 at 10:30

You may be confusing the roles of PHP and the file system. PHP does not have read, write, or executable permissions. Those are handled by the underlying filesystem (ext4, NTFS, etc).

You can use PHP functions such as is_writable() and is_readable() to determine the permissions of a given file, and chmod() to change them.

answered Jun 27, 2011 at 17:07 George Cummins George Cummins 141 3 3 bronze badges

Basically most functions / methods attempting to write to a file in PHP should have an idea like this:

function writeSomething( $file ) < if ( !is_writable( $file ) ) < // attempt to make it writable if ( !chmod($file, 0777) ) < // could not make file writable // log the error. return false; >> // perform the writing here.. > 

Is a good idea to make sure that you can access the file before attempting to do it because it's always better to show the user a custom error like "There was a problem" than showing a classic PHP error like "Unable to write to file. " or something.

Hope I can help!

answered Jun 27, 2011 at 17:13 David Conde David Conde

755 for folders and 644 for php and other files.

answered Feb 24, 2015 at 19:32 107 6 6 bronze badges

This is similar to advice given in other answers. Can you explain what makes your answer more correct, link to documentation, and explain how to set permissions?

Commented Feb 24, 2015 at 21:34

Why does Other have read on files and read+execute on folders (0644 and 0755)? Shouldn't entitlements be limited to User and Groups for a web server on Linux? What benefit does it provide? What risk does it expose?

Commented May 28, 2016 at 17:03

0655 is the best permission level. There's really no reason for changing your files above this. Of course there may be a folder here or there that requires some write permissions, but for everything else 0655 will work.

As a tip, make sure that all of your files are owned by apache. This can easily get changed if you ftp'd your files onto the server. So make sure you set them to apache for production sites. This will eliminate a lot of permission issues when running such a tight ship.

answered Jul 2, 2011 at 8:06 capitalaudience.com capitalaudience.com 101 2 2 bronze badges

umad? 655 = read+write for owner, read+execute for others. Bad Idea(tm) Whether the files are owned by apache or not depends on the purpose of the files. For a static website, it's better that the files are not writable to avoid attacks in case a hole is found in the code.

Commented Jul 2, 2011 at 8:11

Here again: Why should any (PHP-)file be executable? Also - if the files are owned by Apache, you will have problems to change anything via FTP or SVN if you haven't root access. Better to use a user-group, which includes the Apache (on most webspace-accounts i saw it was www-data).

Commented Jul 5, 2011 at 11:09

Commonly used permissions for Cpanel are:

  1. Folder permissions: 755
  2. General File permission: 644
  3. Configuration file permissions: 444
answered Jul 5, 2011 at 7:36 47 4 4 bronze badges

Why does Other have read on files and read+execute on folders (0644 and 0755)? Shouldn't entitlements be limited to User and Groups for a web server on Linux? And why are you allowing anyone to read configuration files (0444)? What benefit does it provide? What risk does it expose?

Commented May 28, 2016 at 17:05

PHP in itself is a scripting language. I'm gonna assume you (op) want to know about best file permissions in web folders.

It really depends on what you're trying to achieve with the server you're with as well as what remote users should have access to, etc.

If you're only using the server solely for the purposes of publishing web pages via PHP scripts, then the file permissions 755 would work well (not 655), that way the owner of the PHP file has full control of it while the rest of the world (including the group the user is in) will only be able to read the file and execute it.

For improved security, then use file permissions 711 so that the world would at best only be able to execute the file. Also, consider adding functionality to the apache server that causes it to switch the user on every request for even greater security. By this, I mean add mod_ruid2 module, or suPHP module, etc.