Nothings Found.

2 ways to setup file permissions for laravel in production

Created: 4 days ago Category: Security Estimated time read: 4 Mins

TABLE OF CONTENT

  • Introduction
  • Requisite
  • Linux File Permissions
    • Permission Groups
    • Permission Types
    • Viewing the Permissions
    • Using Binary References To set Permissions
  • Web server as Owner (common)
  • User as The Owner
  • Storage & Cache Directory Permissions
  • Be Careful
  • Conclusion

Introduction

File Permission is the most important thing on the web in general and defines who you are and what to do on the web, in the other words by giving the permission to specific files, you are telling a story of how and what other users can do with your file.

Requisite

You must know how to access the server (e.g. Digital Ocean Droplets) and you are familiar with some basic Unix command and laravel basics with deployment steps of course.

Linux File Permission

If you are already familiar with File Permissions and wants to know how to set up the those permissions in laravel app, you can just jump this section.

This article is not for the Linux file permissions, I just want to tell you the basics and what are you doing and pasting in your terminal, because you must know how these things works, not just copy and paste commands, you will never learn something of meaning with these methods (Copy → paste).

Permission Groups

So, in Linux world Everything is a file and each file/directory has three user based permission groups:

  • Owner: The Owner permissions apply only to the owner of the file or directory, they will not impact the actions of the other users, meaning: he stands in his own and no one can share with him the same file he owns it (selfish right?)
  • Group: The group permissions apply only to the group that has been assigned to the file or directory, they will not affect the actions of the other users, meaning. If you are in a specific group (e.g: party) your actions can affect other groups (e.g: meeting)
  • All Users: The Users permissions apply to all other users on the system, this is the permission group that you want to watch the most. Because You are in place everyone does what ever they want.

Permission Type

Like groups, there are permissions also and each file/directory has three basic permission types:

  • Read: The Read permission refers to a user's capability to read the contents of the file
  • write: Write permissions refer to a user's capability to write or modify a file or directory
  • execute: Execute permission affects a user's capability to execute a file or view the contents of a directory.

Viewing the Permissions

So, After we knew about permission and groups we must know how to view them right? It's simply checking the file or directory permission by typing in your terminal (Command line)

ls -la

And in some modern Linux systems/OSX

ll

And if we do for example ls -la app inside the laravel project. The permission in the terminal is displayed as:

total 28
drwxr-xr-x  7 coderflex coderflex 4096 December 22 18:07 .
drwxr-xr-x 15 coderflex coderflex 4096 January   5 12:13 ..
drwxr-xr-x  2 coderflex coderflex 4096 December 22 18:07 Console
drwxr-xr-x  2 coderflex coderflex 4096 December 22 18:07 Exceptions
drwxr-xr-x  6 coderflex coderflex 4096 January   5 11:59 Http
drwxr-xr-x  2 coderflex coderflex 4096 January   3 10:36 Models
drwxr-xr-x  2 coderflex coderflex 4096 December 22 18:07 Providers

All maters is d_rwxr-xr-x

So, this result in this given output is the following:

  1. User rights/Permissions
    1. The first char that I marked with underscore is the special permission flag that can var.
    2. The following set of three characters (rwx) is for the Owner permissions.
    3. The second set of three characters rwx is for the Group permissions.
    4. The third set of three char (rwx) is for the users__ permissions
  2. Following that grouping since the integer/number displays the number of hard links to the file
  3. The last piece is the Owner and Group assignment formatted as Owner:Group (e.g. coderflex coderflex)

Using Binary References To set Permissions

Now that you understand the groups and permissions and how it works, you may notice some commands has binary references for example: chmod 640 example1 This command also represent changes in the file system and chmod is the command to change the access permissions of file system objects.

The binary numbers to rwx is the following:

  • r = 4
  • w = 2
  • x = 1

Examples:

If you saw:

  • r-x: The User can read + Execute
  • rwx: The User can Read + Write + Execute
  • -wx: The User can Write and Execute.
  • 640: This means
    • 6 For the Owner can Read and write (4 + 2 + 0)
    • 4 For the Group can Read (4 + 0 + 0)
    • 1 For All Users can Execute (0 + 0 + 1)

I think now you got the idea and understand the basics of the file system permissions. So, let dive into the most important things ;)

Web server as Owner (common)

If you understand the above, this become a piece of cake.

There are basically two ways to set up your ownership and permission. Either you give yourself ownership or you make the web server the owner of all files.

Assuming www-data (it could be something else) in your web server user:

let's assume your files inside /var/www/HTML/website

sudo chown -R www-data:www-data /var/www/html/website
  • chown: For changing the Owner
    • -R: operate on files and directories recursively (--recursive)

If you do this command, the web server owns all the files, and is also the group, and you will have some problems uploading files or working with the file (e.g. FTP), because your FTP client will be logged in as you (the Owner), not your web server, so add your user to the web server user group to avoid any problem:

sudo usermod -a -G www-data your-username
  • usermod: modify a user account
    • -a: Add the user to the supplementary group(s). Use only with the -G option.
    • -G: A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option.

Of course, this assumes your web server is running as www-data, and your user is your-username

Note

the word your-username in this case, is the name of your server, and you check the name by running the command:

whoami

Then, you set all the directories to 755 and your files to 644

To set the file permission

sudo find /var/www/html/website -type f -exec chmod 644 {} \;

To set the directory permission

sudo find /var/www/html/website -type d -exec chmod 755 {} \;

Here all what we do is

  1. Find all the files (-type f) and make a _644 permissions.
  2. Find all the directories (-type d) and make 755__ permissions.

User as The Owner

This Method is great, it allows you to own everything such as files and directories.

Let assume as above your website in located in:

/var/www/HTML/website

sudo chown -R $USER:www-data /var/www/html/website

The $USER meaning the current user, for example if you are logged in as root, the $USER is root

After this command do the following:

sudo find /var/www/html/website -type f -exec chmod 644 {} \;

To set the directory permission

sudo find /var/www/html/website -type d -exec chmod 755 {} \;

Storage & Cache Directory Permissions

Whichever way you set it up your server, you need to give read and write permissions to the web server for storage, cache and any other directories your web server needs to upload or write two (depending on your situation), so you can run this final commands

change the directory to your application

cd /var/www/html/website

after that:

sudo chgrp -R www-data storage bootstrap/cache

and

sudo chmod -R ug+rwx storage bootstrap/cache

Be Careful

As the title says, be careful with giving 777 to folders/files, because if you give any of your folders permissions (full write, read, execute), you are allowing ANYONE literally anyone to read, write and execute any file in that directory.

Meaning by that, you must know that if you are given anyone (hackers, malicious person in the entire world) the permission to upload ANY file, virus or any other file, and then execute that file.

Conclusion

In today's article we learn together, what is file/directory permissions and how to set up the right permission while deploying your Laravel application to the server such as Digital Ocean.


Related Tags
Laravel permission deployment production file

About the Author

Author
I'm ossama and I'm a full stack web developer - telecommunications engineer - write about the tech in general

STAY TUNED

Subscribe to Our Newsletter and never miss our offers, latest news, Articles, etc. Our news letter sent once a week, every tuesday.