How to set permission for website files ?

Setting appropriate permissions on files is mandatory to keep your data safe. You want to keep an eye on who can read some files or not, and even more carefully on files to execute or not.

For a website, there are no perfect solution, so make sure you understand the following advices and make your own choices.

You should set owner and group to "www" and "daemon" so httpd can read the files :

# chown -R www:daemon /var/www/htdocs/website

For a static website (no PHP), remove execution (-x) and writing (-w) permissions. You should let one change current path in these directories (+X).

# chmod -R a-xw /var/www/htdocs/website 
# chmod -R ug+X /var/www/htdocs/website

First, you remove x and w permissions to everyone, and then add to owner and group permission to chang into this directory.

For a dynamic website, you need to write in the directory and execute files in them :

# chmod -R a-xw /var/www/htdocs/website # remove all x and w permissions
# chmod -R u+xwX /var/www/htdocs/website # owner can xwX
# chmod -R g+rX /var/www/htdocs/website  # group can read

WARNING : you really should edit permissions more carefully to suit your website case.

For information, most commercial web hosters use the following permissions (not saying that's the best) :

To apply the previous permissions :

# chmod -R a-rwx /var/www/htdocs/site    # remove all perms
# chmod -R a+rX /var/www/htdocs          # everyone can read and cd in directories
# chmod -R u+w /var/www/htdocs           # only owner can write

Notice the "X" (not "x").