2 ways to setup file permissions for laravel in production

Security 4 mins read

Table of Content

    Introduction

    File Permission is the most important thing on the web in general and defines who you are and what to do on the web, in the other words by giving the permission to specific files, you are telling a story of how and what other users can do with your file.

    Requisite

    You must know how to access the server (e.g. Digital Ocean Droplets) and you are familiar with some basic Unix command and laravel basics with deployment steps of course.

    Linux File Permission

    If you are already familiar with File Permissions and wants to know how to set up the those permissions in laravel app, you can just jump this section.

    This article is not for the Linux file permissions, I just want to tell you the basics and what are you doing and pasting in your terminal, because you must know how these things works, not just copy and paste commands, you will never learn something of meaning with these methods (Copy → paste).

    Permission Groups

    So, in Linux world Everything is a file and each file/directory has three user based permission groups:

    • Owner: The Owner permissions apply only to the owner of the file or directory, they will not impact the actions of the other users, meaning: he stands in his own and no one can share with him the same file he owns it (selfish right?)
    • Group: The group permissions apply only to the group that has been assigned to the file or directory, they will not affect the actions of the other users, meaning. If you are in a specific group (e.g: party) your actions can affect other groups (e.g: meeting)
    • All Users: The Users permissions apply to all other users on the system, this is the permission group that you want to watch the most. Because You are in place everyone does what ever they want.

    Permission Type

    Like groups, there are permissions also and each file/directory has three basic permission types:

    • Read: The Read permission refers to a user's capability to read the contents of the file
    • write: Write permissions refer to a user's capability to write or modify a file or directory
    • execute: Execute permission affects a user's capability to execute a file or view the contents of a directory.

    Viewing the Permissions

    So, After we knew about permission and groups we must know how to view them right? It's simply checking the file or directory permission by typing in your terminal (Command line)

    ls -la
    

    And in some modern Linux systems/OSX

    ll
    

    And if we do for example ls -la app inside the laravel project. The permission in the terminal is displayed as:

    total 28
    drwxr-xr-x  7 coderflex coderflex 4096 December 22 18:07 .
    drwxr-xr-x 15 coderflex coderflex 4096 January   5 12:13 ..
    drwxr-xr-x  2 coderflex coderflex 4096 December 22 18:07 Console
    drwxr-xr-x  2 coderflex coderflex 4096 December 22 18:07 Exceptions
    drwxr-xr-x  6 coderflex coderflex 4096 January   5 11:59 Http
    drwxr-xr-x  2 coderflex coderflex 4096 January   3 10:36 Models
    drwxr-xr-x  2 coderflex coderflex 4096 December 22 18:07 Providers
    

    All maters is d_rwxr-xr-x

    So, this result in this given output is the following:

    1. User rights/Permissions
      1. The first char that I marked with underscore is the special permission flag that can var.
      2. The following set of three characters (rwx) is for the Owner permissions.
      3. The second set of three characters rwx is for the Group permissions.
      4. The third set of three char (rwx) is for the users__ permissions
    2. Following that grouping since the integer/number displays the number of hard links to the file
    3. The last piece is the Owner and Group assignment formatted as Owner:Group (e.g. coderflex coderflex)

    Using Binary References To set Permissions

    Now that you understand the groups and permissions and how it works, you may notice some commands has binary references for example: chmod 640 example1 This command also represent changes in the file system and chmod is the command to change the access permissions of file system objects.

    The binary numbers to rwx is the following:

    • r = 4
    • w = 2
    • x = 1

    Examples:

    If you saw:

    • r-x: The User can read + Execute
    • rwx: The User can Read + Write + Execute
    • -wx: The User can Write and Execute.
    • 640: This means
      • 6 For the Owner can Read and write (4 + 2 + 0)
      • 4 For the Group can Read (4 + 0 + 0)
      • 1 For All Users can Execute (0 + 0 + 1)

    I think now you got the idea and understand the basics of the file system permissions. So, let dive into the most important things ;)

    Web server as Owner (common)

    If you understand the above, this become a piece of cake.

    There are basically two ways to set up your ownership and permission. Either you give yourself ownership or you make the web server the owner of all files.

    Assuming www-data (it could be something else) in your web server user:

    let's assume your files inside /var/www/HTML/website

    sudo chown -R www-data:www-data /var/www/html/website
    
    • chown: For changing the Owner
      • -R: operate on files and directories recursively (--recursive)

    If you do this command, the web server owns all the files, and is also the group, and you will have some problems uploading files or working with the file (e.g. FTP), because your FTP client will be logged in as you (the Owner), not your web server, so add your user to the web server user group to avoid any problem:

    sudo usermod -a -G www-data your-username
    
    • usermod: modify a user account
      • -a: Add the user to the supplementary group(s). Use only with the -G option.
      • -G: A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option.

    Of course, this assumes your web server is running as www-data, and your user is your-username

    Note

    the word your-username in this case, is the name of your server, and you check the name by running the command:

    whoami
    

    Then, you set all the directories to 755 and your files to 644

    To set the file permission

    sudo find /var/www/html/website -type f -exec chmod 644 {} \;
    

    To set the directory permission

    sudo find /var/www/html/website -type d -exec chmod 755 {} \;
    

    Here all what we do is

    1. Find all the files (-type f) and make a _644 permissions.
    2. Find all the directories (-type d) and make 755__ permissions.

    User as The Owner

    This Method is great, it allows you to own everything such as files and directories.

    Let assume as above your website in located in:

    /var/www/HTML/website

    sudo chown -R $USER:www-data /var/www/html/website
    

    The $USER meaning the current user, for example if you are logged in as root, the $USER is root

    After this command do the following:

    sudo find /var/www/html/website -type f -exec chmod 644 {} \;
    

    To set the directory permission

    sudo find /var/www/html/website -type d -exec chmod 755 {} \;
    

    Storage & Cache Directory Permissions

    Whichever way you set it up your server, you need to give read and write permissions to the web server for storage, cache and any other directories your web server needs to upload or write two (depending on your situation), so you can run this final commands

    change the directory to your application

    cd /var/www/html/website
    

    after that:

    sudo chgrp -R www-data storage bootstrap/cache
    

    and

    sudo chmod -R ug+rwx storage bootstrap/cache
    

    Be Careful

    As the title says, be careful with giving 777 to folders/files, because if you give any of your folders permissions (full write, read, execute), you are allowing ANYONE literally anyone to read, write and execute any file in that directory.

    Meaning by that, you must know that if you are given anyone (hackers, malicious person in the entire world) the permission to upload ANY file, virus or any other file, and then execute that file.

    Conclusion

    In today's article we learn together, what is file/directory permissions and how to set up the right permission while deploying your Laravel application to the server such as Digital Ocean.


    Related Tags

    About the Author

    Oussama's Profile Picture
    Oussama
    Full Stack Web Developer

    I'm a full stack web developer and telecommunications engineer who love to share knowledge and build stuff online!


    Comments

    Join Our Newsletter

    Subscribe to Our Newsletter and never miss our offers, latest news, Articles, etc.

    Our news letter sent once a week, every tuesday.