Linux – Set Default User / Group (Sticky Bit) in Ubuntu

The files in the site www subdirectory should be readable by the effective user-id of the running web-server. The Apache web-server often runs as user nobody, group nobody or user www-data, group www-data. So this user or group needs read permissions.

If the PHP scripts write to files, those files need to be writeable by the effective user-id of the running Apache service.

How exactly this is arranged depends on your hosting provider.

If the site is public and the scripts contain no passwords, no exploitable security loopholes (e.g. race conditions), it may be OK to give world-read permissions. I would aim to have all files owned by your personal user-id, not by a user "nobody" or "user". Only you should have write permissions on files in the www subdirectory (and it's subdirectories). Even if your site contains no personal or valuable data - you don't want it to become taken over by fraudsters or spammers.

A couple of useful resources are

• http://hostingfu.com/article/running-php-on-shared-hosting
• http://phpsec.org/projects/guide/

• User/owner: you must login as 'user' if you want files to be created as 'user'.

• Group: either make sure user's default group is 'www-data' or make sure all directories have the "setgid" (chmod g+s) flag set and the 'www-data' group.

• Permissions: 'umask 022' command (meaning defaults to 0755 for dirs and 0644 for files) should be executed on login. E.g. you may put it in ~/.bashrc.