Proper Permissions & User:Group settings with Apache, www-data?



I’ve been moving a number of site users and websites over to DreamCompute in directories like “/home/username” and site content in: “/home/username/”. When I created a user, it has it’s own group name which is the same as the username: username:username . These /home/username directories also have permission under username:username . Up until today, Apache seemed to work fine by setting these directories as the DirectoryRoot in the apache config files for each site.

PROBLEM: Today I moved a site that requires the PHP function fopen to write files, and also requires saving files. I had a ton of “permission denied” errors. I’ve been reading around on Google/StackOverflow and finding answers that don’t work, or bad answers like setting permissions to 777.

This is what I have done so far, adding each username to the www-data:

sudo usermod -a -G www-data <username>
sudo chgrp -R www-data /home
sudo chmod -R g+w /home

This seemed to make everything work. However, I am concerned about the permissions, as the directories are now set at 775 and the files are 664. These are different than what was usually on my Dreamhost VPS (755 and 644).

What is the proper way to set these up, I’m a little noobish with permission stuff like this.

Kind regard


After studying more today, I should clarify that I am using the HTTP/2 mod for high web performance. I found that I need something like the mpm-itk mod or suexec mod (apparently incompatible with http2) in order to separate users within www-data (if one website is hacked through Wordpress for example, they should be prevented from accessing another site in a different user directory within the same www-data group). Is there any solution to this?