I have just read this useful article on files permissions, and I am about to implement a as-strict-as-possible file permissions policy on our webserver. Our situation: we have a web server accessed through sftp by different users from within our company, and we have the general public accessing Apache - sometimes uploading files through PHP. I distinguish folders and files by their use.

So based on this reading, here is my plan:

All people who need to upload files will have separate users. But all of those users will belong to two groups: uploaders, and webserver. Apache will belong to the group webserver.

Directories

• Permission: 771
• Owner: user:uploaders
• Explanation: to access files in the folder, everybody needs to have execute permission. Only uploaders will be adding/removing files, so they also get r+w permission.

Files within the web-root

• Permission: 664
• Owner: user:uploaders
• Explanation: they will be uploaded and changed by different users, so both owner and group need to have w+r permissions. Webserver needs to only read files, so r permission only.

Upload-directories

• Permission: 771
• Owner: user:webserver
• Explanation: when files need to be uploaded, Apache needs to be able to write to this directory. But I figure it is safer to change the owner to webroot, thus giving Apache sufficient privileges (and all uploaders also belong to this group and will have the same permissions), while safeguarding from "others" writing to this folder.

Uploaded files

• Permission: 664
• Owner: user:webserver
• Explanation: after uploading Apache might need to delete files, but this is no problem because they have w+r permission of the folder. So no need to make this file any more accessible than r access for group.

Being not an expert on file permissions, my question is whether or not this is the best possible policy for our situation? Any suggestions welcome.