Laravel File Permission Hardening for Multi-Developer Production Server
When multiple developers work on the same Laravel project on a production server, improper file permissions can cause several issues:
- Git permission errors
- Laravel 419 Page Expired errors
- Storage write failures
- Cache permission issues
- Security risks from overly permissive access
This guide shows a safe and production-ready Laravel permission hardening setup using a Bash script.
Project Structure
Example Laravel project path:
/var/www/html/laravel_application
Developers:
tanjin
rasel
Developer group:
webdev
Web server runtime user:
www-data
Permission Strategy
We will follow these security rules:
| Component | Owner | Permission |
|---|---|---|
| Project directory | tanjin:webdev | 2775 |
| Application files | tanjin:webdev | 664 |
| Directories | tanjin:webdev | 2775 |
| storage | www-data:webdev | 775 |
| bootstrap/cache | www-data:webdev | 775 |
| .env | tanjin:webdev | 640 |
| public | tanjin:webdev | 755 |
This setup ensures:
- Developers can modify project files
- Laravel runtime can write to storage and cache
- Sensitive environment variables remain protected
Why Use 2775 Permissions?
2775
Breakdown:
| Value | Meaning |
|---|---|
| 2 | setgid (new files inherit group) |
| 7 | owner rwx |
| 7 | group rwx |
| 5 | others r-x |
Result:
drwxrwsr-x
This ensures all new files inherit the webdev group, enabling safe multi-developer collaboration.
Laravel Permission Hardening Script
Below is the complete Bash script to configure Laravel permissions safely.
#!/bin/bash
PROJECT=/var/www/html/laravel_application
MAINUSER=tanjin
GROUP=webdev
OTHERSUSER="rasel"
# create group if not exists
sudo groupadd -f $GROUP
# add other developers to group
for USER in $OTHERSUSER
do
sudo usermod -aG $GROUP $USER
done
# set project ownership
sudo chown -R $MAINUSER:$GROUP $PROJECT
# directory permissions
sudo find $PROJECT -type d -exec chmod 2775 {} \;
# file permissions
sudo find $PROJECT -type f -exec chmod 664 {} \;
# laravel writable directories
sudo chown -R www-data:$GROUP $PROJECT/storage
sudo chown -R www-data:$GROUP $PROJECT/bootstrap/cache
sudo chmod -R 775 $PROJECT/storage
sudo chmod -R 775 $PROJECT/bootstrap/cache
# protect env file
sudo chown $MAINUSER:$GROUP $PROJECT/.env
sudo chmod 640 $PROJECT/.env
# secure public directory
sudo chmod -R 755 $PROJECT/public
echo "Laravel permission hardening completed."
How to Use the Script
Create the script file:
nano laravel_permission_fix.sh
Paste the script and save.
Make it executable:
chmod +x laravel_permission_fix.sh
Run it:
./laravel_permission_fix.sh
Important Git Rule
Never run Git commands with sudo.
Incorrect:
sudo git pull
Correct:
git pull
Running Git with sudo can cause repository ownership issues.
Laravel Writable Directories
Laravel requires write access to:
storage
bootstrap/cache
Without proper permissions, you may encounter:
- 419 Page Expired errors
- Failed cache writes
- Session storage errors
The script configures these directories for www-data runtime access.
Security Notes
- Never commit
.envto Git - Always protect
.envwith restricted permissions - Use group-based developer access instead of giving full ownership
- Avoid
777permissions on any Laravel directory
Final Recommended Structure
/var/www/html/laravel_application
│
├── app
├── bootstrap
│ └── cache (www-data:webdev)
│
├── config
├── database
├── public (755)
│
├── resources
├── routes
├── storage (www-data:webdev)
│
├── vendor
├── artisan
├── composer.json
└── .env (640)
Result
After running the script:
- Multiple developers can safely work on the project
- Laravel runtime can write to storage and cache
- Sensitive configuration files remain protected
- Git permission errors are avoided
Conclusion
Correct Laravel file permissions are essential for both security and stability in production environments.
Using a group-based permission model with proper directory ownership ensures:
- secure collaboration
- predictable deployments
- fewer runtime errors
If you found this guide useful, feel free to adapt the script to your own Laravel infrastructure.
Top comments (0)