Apache and Different PHP Invocation Modes — What File Permissions Are Needed?

Today we will examine various modes of invoking PHP and the use of different workers of the popular web server Apache from the perspective of the necessary access rights for files and directories. It’s important to note that different permissions are generally required for reading (i.e., executing PHP code and delivering objects) and for writing (e.g., uploading images and modifying files via CMS). Understanding the principles of permission formation (for example, read the excellent article on Wikipedia) will help clarify what file permissions like 640 (u=rw,g=r,o=) mean. Below, the values of access rights are given as approximate guidelines; everything will function with these, but there is potential for fine-tuning if you understand permissions, processes, and masks.

Standard Option — Apache+mod_php

This standard option operates with Apache running as the user apache or a similar one (e.g., www, httpd, apache22 — the username depends on the operating system used). Consequently, the PHP code is interpreted by the module with the rights of this user. To execute the code, read permissions for files and entering directories are sufficient. This can be summarized as xx4 (a+r) for files and xx5 (a+x) for directories. In simpler terms, we grant all users (field a) the rights to read files (+r) and for directories — the rights to read and enter them (+x).

To enable file writing (uploading, writing to cache files, etc.), either the necessary file/directory permissions must be granted (xx6 for files, xx7 for directories), or the owner of the file/directory must be changed to the user with whose rights Apache is running. The second method requires superuser rights; in UNIX systems, a non-root user cannot change the owner of files.

Summary — Apache+mod_php

• A request arrives at the site of user ivan
• The web server runs with the rights of user apache (or similar httpd, apache22, www)
• PHP runs with the rights of user apache

Apache-itk+mod_php

In this configuration, a modified code of Apache is employed, allowing the process to change the user it runs with based on the virtual host. This allows a request to the virtual web server of user ivan to operate a separate process of the web server with user ivan’s rights. This simplifies permissions — minimal rights (444 for files, 555 for directories) are sufficient for reading. Notably, not only is PHP executed, but all operations within the request occur with user ivan’s rights.

Summary — Apache-itk+mod_php

• A request arrives at the site of user ivan
• The web server runs with the rights of user ivan
• PHP runs with the rights of user ivan

Apache+FastCGI

Using the FastCGI (or CGI) scheme is popular when decent performance and control over resources allocated to the site or user are required. This configuration typically uses a special module for the web server, mod_fcgid. A request comes to Apache, which runs with the rights of user www (as in the standard option). If the request can be processed by Apache’s internal methods, it happens accordingly. If it requires executing a script, the request is passed to the respective interpreter, which operates independently of the web server. In most cases (when Apache uses mod_fcgid and PHP), PHP code is executed with the rights of the virtual host owner.

Thus, images and other simple files must be readable by the web server (permissions of at least 444 on files and 555 on directories), PHP files can have permissions of 400, and for uploading or editing, user ivan must be able to modify or create files in the necessary directory.

Summary — Apache+FastCGI

• A request arrives at the site of user ivan
• The web server runs with the rights of user apache
• PHP runs with the rights of user ivan

Apache-ITK+FastCGI

Unfortunately, this configuration is not viable due to technical reasons. Do not use apache-itk and mod_fcgid simultaneously; the web server will not correctly launch the PHP interpreter.