Making a directory writable by the webserver

I’ve used the phrase “writable by the webserver” numerous times throughout this blog, without ever bothering to explain in detail what this means. Yesterday, I received an email asking me exactly that, so I decided to finally write a post about it and use it as a reference whenever I use the aforementioned phrase. I’ll use Apache as an example webserver and a filesystem with Unix-like permissions. I’ll also try to keep the article as short as possible.

First of all, the webserver, Apache in our case, is a program running in the background. Apache is originally started by user root. We will call this initial process the “root-process“. The “root-process” launches several child processes which handle the client requests. For security reasons, the child processes are not run by user “root” but as a user with minimal privileges. Usually this user is named apache or www-data etc. To find out how this is called in your system, issue the following command:

$ ps -ef | grep httpd | grep -v grep
root      1926     1  0 Dec03 ?        00:00:55 /usr/sbin/httpd.worker
apache    2608  1926  0 14:31 ?        00:00:06 /usr/sbin/httpd.worker
apache   22192  1926  0 01:05 ?        00:00:02 /usr/sbin/httpd.worker

So, in my case the child processes are run by user “apache“. This could also be determined by the user and group directives inside Apache’s configuration file, /etc/httpd/conf/httpd.conf:

User apache 
Group apache

So, in order to make a directory writable by the webserver we have to set the directory’s owner or group to Apache’s owner or group and enable the write permission for it. Usually, we set the directory to belong to the Apache group (apache or www-data or whatever user is used to launch the child processes) and enable the write permission for the group.

chgrp apache /path/to/mydir
chmod g+w /path/to/mydir

In many cases, usually in shared hosting environments, it is not possible to change the ownership of files and directories. In those cases you could just set the write permission for everyone (others):

chmod o+w /path/to/mydir

Which method is more secure depends on how /path/to/mydir is accessed.

If it is accessed through the web server with an HTTP request it does not really matter which of the above methods has been used in order to make /path/to/mydir writable by the web server, because, in any case, the web server will be able to write to /path/to/mydir.

If the directory is accessed by other means, for instance by another local program which is run by an untrusted local user, then, obviously, the first method is more secure.

I guess this explains how to make a directory or file writable by the web server process.

Making a directory writable by the webserver by George Notaras, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2008 - Some Rights Reserved

About George Notaras

George Notaras is the editor of G-Loaded Journal, a technical blog about Free and Open-Source Software. George is a GNU/Linux enthusiast, a self-taught programmer and system administrator. He strongly believes that "knowledge is power" and has created this web site to share the IT knowledge and experience he has gained over the years with other people. George primarily uses CentOS and Fedora and spends some of his spare time developing open-source software. Follow George on Twitter: @gnotaras

6 responses on “Making a directory writable by the webserver

  1. Paul Permalink →

    Nice article! I am hoping to make an online directory which interacts with user commands. I suppose php would be best for this, do you think? Writable php files. Not an expert but would I need to make php files writable?

  2. dave Permalink →

    thanks – been reading a lot of articles about write permission in cgi-bin and other directories for my perl scripts – and this is the article that solved the problem. thank you.

  3. Anupama Permalink →

    Inspite of following the steps , I get:
    the directory as not writable when i run the script from browser. Could you advise?

  4. George Notaras Post authorPermalink →

    @Anupama: Maybe the user that runs the web server is not named ‘apache’. That’s a wild guess. Please provide more details about your case.

    1. Andrew Permalink →

      That was my case.
      Thanks for this post. It took me two days before I found your solution, argh!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>