Permission Issues
Learning Focus
By the end of this lesson you will understand how Linux file permissions affect OpenLiteSpeed, know the correct permission model, and be able to fix ownership and mode issues confidently.
Why Permissions Matter
OpenLiteSpeed runs its main process as a specific Linux user (typically nobody or lsadm). If files are owned by a different user or have restrictive modes, the web server cannot read, write, or execute them — causing 403, 500, or empty-response errors.
Permission Model for OpenLiteSpeed
| Item | Owner | Mode | Why |
|---|---|---|---|
| Document root | nobody:nogroup | 755 | Web server needs to traverse and read |
| PHP files | nobody:nogroup | 644 | Readable by web server, not world-writable |
| Upload directories | nobody:nogroup | 755 | Web server needs write access |
| Config files | lsadm:lsadm | 600 or 640 | Sensitive; only admin processes should read |
| Certificate files | root:root | 600 | Private keys must not be world-readable |
| Log directory | nobody:nogroup | 755 | Web server needs write access |
| Socket directory | nobody:nogroup | 755 | PHP sockets need correct ownership |
Diagnostic Commands
# Check who the web server runs as
ps aux | grep lshttpd | head -5
# Check document root ownership
ls -la /var/www/example.com/
# Check specific problematic files
stat /var/www/example.com/public/index.php
# Find files NOT owned by the web server user
find /var/www/example.com/ ! -user nobody -type f | head -20
# Find directories without execute permission
find /var/www/example.com/ -type d ! -perm -o=x | head -20
Fixing Common Permission Problems
Fix All Files in a Document Root
# Set correct ownership
sudo chown -R nobody:nogroup /var/www/example.com/
# Set correct directory permissions (755)
sudo find /var/www/example.com/ -type d -exec chmod 755 {} \;
# Set correct file permissions (644)
sudo find /var/www/example.com/ -type f -exec chmod 644 {} \;
Fix Certificate Permissions
# Private keys should be readable only by root
sudo chmod 600 /etc/ssl/private/example.key
sudo chown root:root /etc/ssl/private/example.key
# Certificate files can be 644 (public anyway)
sudo chmod 644 /etc/ssl/certs/example.pem
Fix Log Directory
sudo chown -R nobody:nogroup /usr/local/lsws/logs/
sudo chmod 755 /usr/local/lsws/logs/
Common Mistakes
| Mistake | Why It Is Dangerous | Correct Approach |
|---|---|---|
chmod 777 on everything | Removes all security; anyone can read/write/execute | Use 755 for dirs, 644 for files |
Running web files as root | Security risk if application is compromised | Use nobody:nogroup or a dedicated web user |
Forgetting /tmp/lshttpd/ | PHP sockets fail silently | Ensure correct ownership on socket directory |
Certificate keys at 644 | Private key exposed to all users | Use 600 for private keys |
warning
Never use chmod 777 as a troubleshooting shortcut. It solves the symptom but creates a serious security hole. Always find and fix the correct ownership instead.
Verification After Fixing
# 1) Reload OpenLiteSpeed
sudo /usr/local/lsws/bin/lswsctrl restart
# 2) Test the site
curl -I http://example.com
# 3) Check the error log for remaining issues
tail -20 /usr/local/lsws/logs/error.log
Key Takeaways
- OpenLiteSpeed needs read access to files and execute access to directories.
- Use
755for directories and644for files as the standard baseline. - Certificate private keys must be
600and owned byroot. - Always verify with a test request and log check after fixing permissions.
What's Next
- Continue to SSL Errors to diagnose Cloudflare and certificate handshake failures.