Correct permission for Laravel folders on server

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# Correct Permission for Laravel Folders on Server: Avoiding the `777` Trap Deploying a Laravel application often brings developers face-to-face with frustrating, low-level system errors. One of the most common hurdles involves file system permissions—specifically when attempting to write files to directories like `storage` or `public`. You’ve likely encountered the scenario where code fails with a `Warning: mkdir() [function.mkdir]: Permission denied` error unless you resort to setting overly permissive `777` permissions, which is a massive security risk. As senior developers, our goal isn't just to fix the immediate error; it's to implement robust, secure practices. This post will walk you through the correct, developer-grade way to set folder permissions for your Laravel application, ensuring functionality without compromising security. ## Understanding the Root of the Problem The "Permission denied" error occurs because the user account running the web server (e.g., Apache or Nginx) does not have the necessary write access to the target directory. When you use `777`, you are granting *everyone* on the system read, write, and execute access, which is highly insecure and should never be the default setting for production environments. In a standard Laravel setup, the files need to be writable by the web server process so that Artisan commands, queue workers, and HTTP requests can deposit new files (like PDFs generated in the `storage/app` directory). The key is identifying *which* user needs access. ## The Secure Solution: Ownership and Permissions Instead of using blanket permissions like `777`, the best practice is to ensure that the web server process owns the directories and has sufficient write access, while keeping other users restricted. ### Step 1: Identify the Web Server User First, you need to know which user your web server runs as. This is typically `www-data` (on Debian/Ubuntu systems) or sometimes `nginx` or `apache`. ### Step 2: Set Correct Ownership You should change the ownership of the application directories to the web server user. This ensures that when Laravel tries to write a file, the process executing the request has the necessary privileges without granting system-wide access. Assuming your web server user is `www-data`, you would execute these commands via SSH on your server: ```bash # Change ownership of the project directory and storage folders to the web server user sudo chown -R www-data:www-data /path/to/your/laravel/project/storage sudo chown -R www-data:www-data /path/to/your/laravel/project/bootstrap/cache ``` ### Step 3: Set Appropriate Permissions For directories, `755` is generally the standard secure permission. This allows the owner (the web server) full control and grants read/execute access to the group and others. For specific write operations within Laravel, permissions often need to be slightly more permissive on the application folders themselves. A safe default for most application directories is often `775` or `770`, depending on your specific deployment setup. ```bash # Apply secure permissions recursively sudo find /path/to/your/laravel/project -type d -exec chmod 755 {} \; sudo find /path/to/your/laravel/project -type f -exec chmod 644 {} \; ``` By setting these explicit ownership and permission rules, you achieve the necessary write capability for your PDF generation feature while maintaining excellent security posture. This aligns perfectly with the principle of least privilege, a core concept emphasized in robust framework development like **Laravel** ([https://laravelcompany.com](https://laravelcompany.com)). ## Conclusion Never rely on blanket permissions like `777` to solve application bugs. Always diagnose the issue by identifying the specific user context and applying granular ownership and permission settings. By following these steps—setting correct ownership for the web server user (`www-data`) and using standard restrictive permissions (`755`/`644`)—you ensure your Laravel application functions correctly, securely, and reliably in any production environment.