How to Set Up File Permissions For Laravel

How to set up file permissions for Laravel?

Just to state the obvious for anyone viewing this discussion.... if you give any of your folders 777 permissions, you are allowing ANYONE to read, write and execute any file in that directory.... what this means is you have given ANYONE (any hacker or malicious person in the entire world) permission to upload ANY file, virus or any other file, and THEN execute that file...

IF YOU ARE SETTING YOUR FOLDER PERMISSIONS TO 777 YOU HAVE OPENED YOUR
SERVER TO ANYONE THAT CAN FIND THAT DIRECTORY. Clear enough??? :)

There are basically two ways to setup your ownership and permissions. Either you give yourself ownership or you make the webserver the owner of all files.

Webserver as owner (the way most people do it, and the Laravel doc's way):

assuming www-data (it could be something else) is your webserver user.

sudo chown -R www-data:www-data /path/to/your/laravel/root/directory

if you do that, the webserver owns all the files, and is also the group, and you will have some problems uploading files or working with files via FTP, because your FTP client will be logged in as you, not your webserver, so add your user to the webserver user group:

sudo usermod -a -G www-data ubuntu

Of course, this assumes your webserver is running as www-data (the Homestead default), and your user is ubuntu (it's vagrant if you are using Homestead).

Then you set all your directories to 755 and your files to 644...
SET file permissions

sudo find /path/to/your/laravel/root/directory -type f -exec chmod 644 {} \;

SET directory permissions

sudo find /path/to/your/laravel/root/directory -type d -exec chmod 755 {} \;

Your user as owner

I prefer to own all the directories and files (it makes working with everything much easier), so, go to your laravel root directory:

cd /var/www/html/laravel >> assuming this is your current root directory
sudo chown -R $USER:www-data .

Then I give both myself and the webserver permissions:

sudo find . -type f -exec chmod 664 {} \;   
sudo find . -type d -exec chmod 775 {} \;

Then give the webserver the rights to read and write to storage and cache

Whichever way you set it up, then you need to give read and write permissions to the webserver for storage, cache and any other directories the webserver needs to upload or write too (depending on your situation), so run the commands from bashy above :

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

Now, you're secure and your website works, AND you can work with the files fairly easily

How to setup laravel file permission once and for all

Option 1 add www-data group to my-user:

sudo adduser www-data my-user

Option 2 change user of php-fpm into my-user (ref):

find options user and group in www.conf, and change it into [my-user] group=mygroup

Set Laravel storage permission to 777?

Here is the best solution that I found.

Step 1: chown the root directory:

sudo chown -R www-data:www-data /path/to/root

Step 2: Grant FTP for uploading and working with files (for using any FTP client):

sudo usermod -a -G www-data ubuntu

Step 3: Set file permission to 644:

sudo find /path/to/root -type f -exec chmod 644 {} \;

Step 4: Set directory permission to 755:

sudo find /path/to/root -type d -exec chmod 755 {} \;

Step 5: Give rights for web server to read and write storage and cache

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

Source: https://vijayasankarn.wordpress.com/2017/02/04/securely-setting-file-permissions-for-laravel-framework/

Correct permission for Laravel folders on server

These permissions should be set to 770 on the storage folder.

This will allow the owner of the directory (ideally the maintenance web admin) read/write/execute. And it will allow the web group (ideally the group that the maintenance web-admin and the web server user are both in) to have read/write/execute permission. The 0 means that other users have no permissions in the directory. The directory should be owned by the maintenance web admin, with it's ownership group set to the web group.

Example

chown -R mywebadmin:www-data /var/www/html/mysite.com/
chmod -R 750 /var/www/html/mysite.com/ 
chmod -R 770 /var/www/html/mysite.com/storage

Result

  • /var/www/html/mysite.com - Owned by mywebadmin, Group is www-data

    • Owner can write/read/execute
    • Group can read/execute
    • Others can do nothing
  • /var/www/html/mysite.com/storage - Owned by mywebadmin, Group is www-data

    • Owner can write/read/execute
    • Group can write/read/execute
    • Others can do nothing

There is a useful tool for generating these permissions if you have a hard time remembering them.

Note: It is extremely dangerous to have write access for the web user in the directory. A better option would be creating a PHP script that changes it's headers for Content-Type to application/octet-stream and having the PHP script generate the file it needs interanally without writing to the file system.

Laravel proper permissions

This will work, as777 is a security risk

 sudo chmod -R o+w storage/

 sudo chmod -R 775 storage/

Related Topics

Is There a Use-Case For Singletons With Database Access in PHP

PHP "PHP://Input" VS $_Post

Send Email With PHP from HTML Form on Submit With the Same Script

And' VS '&&' as Operator

PHP MySQLi_Connect: Authentication Method Unknown to the Client [Caching_Sha2_Password]

How to Create Custom Helper Functions in Laravel

How to Read If a Checkbox Is Checked in PHP

New Self Vs. New Static

Replace Urls in Text With HTML Links

Delimiter Must Not Be Alphanumeric or Backslash and Preg_Match

Json Encode MySQL Results

Remove Empty Array Elements

Get $_Post from Multiple Checkboxes

What Is the Size Limit of a Post Request

What's Wrong With Using $_Request[]

How to Implement a Good Profanity Filter

Get Url Parameter in PHP

Getting the Location from an Ip Address


Leave a reply



Submit