There isn’t a straightforward answer because so much depends on your hosting environment. Start with your hosting provider’s documentation and support, or with your system administrator, and with the following instructions:
How to set your permissions
In general, you want your permissions set such that your webserver can read and write (recursively) to
files_dir, and to
./public/. Optionally, for added features and reduced security, you can enable
./plugins/ and perhaps to the locale
.xml files. Your webserver should have read-only access to all other files and directories distributed in the package.
How does Linux do this?
In Linux, permissions are based both on a numeric access control mode, and on file ownership. Understanding this permissions scheme is a prerequisite.
For example, ownership of
apache:www with permissions of
rwxr-x---) means that the apache user can read, write and execute; anyone with the www group can read or execute; and the file is protected against access by anyone else. Note that “execute” means two entirely different things for directories than for files!
An Example (for dedicated hosting):
Generally, the ownership of
public, and other web-writable directories should be your web user and the web-user’s primary group, for example
apache:www-data. Permissions should probably be
The ownership of the other non-web-writable directories should be your user, with either the web user’s group, or with public execute permissions. For example:
Web-writable files would be the same, but without the execute permission:
Non-web-writable files would be perhaps:
But What About Shared Hosts?
With some shared hosts (for example, if your only access is via CPanel or a similar web-based admin tool), you may not have the ability to change the file ownership, and your webserver is effectively running as your user. In that case, you may still have the ability to protect your files by making them non-writable by your own user (even though this sounds counter-intuitive). In a shared host, you will almost certainly want to deny world permissions to your files, but look to the documentation and support for your host in particular.