What are the correct permisssions for private and web folder

Discussion in 'General' started by thorewi, Apr 26, 2014.

  1. thorewi

    thorewi New Member


    I wanna ask what are the correct permission for "private" and "web" folder. Mine are 710, but I have nginx log full of "permissison denied" messages:

    2014/04/26 08:26:55 [crit] 21750#0: *1036140 open() "/var/www/example.com/web/" failed (13: Permission denied), client: serverIpAddress, server: example.com, request: "GET / HTTP/1.0", host: "example.com"

    But websites are running correctly even with this error message. When I set 750, error message is gone.

    Thank you


    My only (extra) nginx directive:

    location / {
    try_files $uri /index.php?$args;
    Last edited: Apr 26, 2014
  2. Hitwalker

    Hitwalker New Member

    I did take a look at mine and i have 711...on my web folder and 755 for my site folder
    Last edited: Apr 26, 2014
  3. thorewi

    thorewi New Member

    hi, thanks for your reply.

    I think the problem is in try_files directive, because when I go to my web homepage, the url is "/" so nginx try to find a file "/" which is "web" folder, but it's not nginx readable... So only 750 helps. But ispconfig creates websites with 710 (at least my ispconfig).
    Last edited: Apr 26, 2014
  4. Hitwalker

    Hitwalker New Member

  5. thorewi

    thorewi New Member

    thanks... I think there is no problem in my nginx configuration (even in link you posted they are using the same directives as I am), it will be something about the permissions and ispconfig. I hope till can explain me more.
  6. Arien

    Arien New Member

  7. thorewi

    thorewi New Member

    Hi mate, I'm glad not to be alone with this issue.

    Maybe we should create a ticket in bugtracker. I will do it on monday or thuesday if we won't get reply from till (or anyone from staff).
  8. vm2014

    vm2014 New Member

    Here is what I used to run on /web/ folders to clean them up while migrating sites in directly. I have noticed recently (since that ALL files inside /var/www/example.com/ are root:root instead of for example web20:client9. I think something has changed...

    cd /var/www/example.com/web/
    chown -Rf web20:client9 *
    chown root:root stats
    find . -type f -exec chmod 754 {} \;
    find . -type d -exec chmod 775 {} \;
  9. vm2014

    vm2014 New Member

  10. thorewi

    thorewi New Member

    I think root:root issue is about selected value of Security level in Server Config -> Web. When you set high, the permissions are user:group, when you set middle, the permissions are root:root.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The security level should be set to high. the medium security level is just there for some backwarcs compatibility with very old servers. Here are the correct permissions for a website in security level high:

    [email protected]:/var/www/test.int# ls -la
    total 72
    drwxr-xr-x 18 root root    4096 Apr  4 23:31 .
    drwxr-xr-x  9 root root    4096 Apr 23 12:02 ..
    -rwxr-xr-x  1 web1 client0    0 Apr 23 12:34 .bash_history
    drwxr-xr-x  2 root root    4096 Sep 13  2012 bin
    drwxr-x--x  2 web1 client0 4096 Sep  7  2012 cgi-bin
    drwxr-xr-x  2 root root    4096 Feb 24 08:30 dev
    drwxr-xr-x  6 root root    4096 Sep 13  2012 etc
    drwxr-xr-x  5 root root    4096 Apr 23 12:34 home
    drwxr-xr-x  3 root root    4096 Sep 13  2012 lib
    lrwxrwxrwx  1 root root       4 Sep 13  2012 lib64 -> /lib
    drwxr-xr-x  3 web1 client0 4096 Apr 19 00:30 log
    drwx--x---  2 web1 client0 4096 Sep 10  2012 private
    drwx------  2 web1 client0 4096 Apr 23 12:34 .ssh
    drwxr-xr-x  2 root root    4096 Sep 16  2012 ssl
    drwx--x---  4 web1 client0 4096 Apr  4 23:31 sub
    drwxrwxrwx  2 web1 client0 4096 Feb 19 00:30 tmp
    drwxr-xr-x  6 root root    4096 Sep 13  2012 usr
    drwxr-xr-x  3 root root    4096 Sep 13  2012 var
    drwx--x--x  5 web1 client0 4096 Apr  1 16:16 web
    drwx--x---  2 web1 client0 4096 Sep 10  2012 webdav
    This website has a jailed use, so it contains a few more directories.
  12. thorewi

    thorewi New Member

    thank you till... so back to my question - is my issue related to something in my configuration? is everything working for you with your 711 permission and this nginx configuration

    location / {
    try_files $uri /index.php?$args;

    ? Working means no error message in logs when you go on homepage.

    My web permissions

    offtopic: how did you make it your web permissions are so nice formatted?
    Last edited: Apr 28, 2014
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, without error messages. Your permissions are 710, this was used by former ispconfig versions and has been changed to 711 now as 710 is causing permission problems on nfs servers.

    Update your server to the current ispconfig version, then enable under System > server config > web that permissions shall be updated on website changes and then use the resync tool to force a update on all websites.

    use CODE instead of QUOTE to format sourcecode and command output.
  14. thorewi

    thorewi New Member

    definetely I will update, but in this thread http://www.howtoforge.com/forums/showthread.php?t=65615 this guy have same problem as I have and updating didn't help him.

    I tried to set 711 but it didn't really help. what works is 750.

    I think it's logical it needs 750 because my root is in web folder, which cant be read by www-data user, but try_files is trying to read this folder when I'm on homepage and uri is /.

    But if it works for you (and for others too) there must be a hidden problem somewhere.
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    It might be that it depends on the nginx version. I checked a few additional servers and I see the issue here as well now. We will change the default permissions to 750 even if this removes the website isolation between sites of the same client.

    The website is running as user web[ID] and the web folder is owned by web[id] user and not www-data, so 711 should be fine and it works, so nginx can access it correctly and should not throw an error message.
  16. thorewi

    thorewi New Member

    hm website is running as webID, put it's php-fpm related, or not? I think nginx works with webs as www-data - am I wrong? That's why it needs 751.

    And I also noticed there is "nginx" user in my /etc/passwd, it wasn't there before, so probably in some new version of nginx it will create "nginx" user but I don't know its purpuse. Can you confirm you have also nginx user on server where this issue appears?
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    PHP is running s as webID user. If the permissions would be wrong, then nginx would not display the website as it could not access it.
  18. thorewi

    thorewi New Member

    Yes I understand this, but what I don't understand is that you wrote

    and then

    So what you want to say is that it's not a problem with permissions but a problem with nginx itself?
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    What we are talking about here is that websites are working correctly while nginx writes an error to the log file. If there would be a real problem that nginx can not access the site, then the site wont work (blank page), but indeed, the sites are working correctly, so nginx must be able to access the data to deliver it to the web client with the current permissins.
  20. thorewi

    thorewi New Member

    I don't think so.

    I'm using try_files

    try_files $uri /index.php?$args;

    so first nginx try $uri, on homepage, $uri == / == web folder (beucase $document_root == web_folder), but it's not accessible (because it's 711), so nginx will try /index.php?$args, which is already accessible (in my case 644), so everything is ok. So if I'm not wrong, the problem is just about the web folder and its permission.

Share This Page