Not enough information.

Shared server? Dedicated? VPS? What user does your webserver run as? What user owns the directory and files?

The easy fix is to make the directory world-writable. But not advisable on a shared server.

This kind of issue can often be fixed by using group permissions.

Anyway, you are going to have to be more specific to get a definate answer.

I'd suggest reading-up on 'ls' and 'chmod' first, and doing some poking around on your server getting familiar with them.

I have a virtual dedicated server, which it seems can be treated like a dedicated server in most scenarios.

As far as users go, I have a different user for each one of my domains, and I ftp all files and create directories using that user, so I assume that's the user who owns these things.

You need to know what user and group your web server runs as.

Try this from a command prompt:

ps -eo pid,tid,user,group,args ¦ grep httpd

This will give you a list that looks something like this:

[jon@colossus ~]$ ps -eo pid,tid,user,group,args ¦ grep httpd
2434 2434 root root /usr/sbin/httpd
16476 16476 apache apache /usr/sbin/httpd
16477 16477 apache apache /usr/sbin/httpd
16478 16478 apache apache /usr/sbin/httpd
16479 16479 apache apache /usr/sbin/httpd
16480 16480 apache apache /usr/sbin/httpd
16481 16481 apache apache /usr/sbin/httpd
16482 16482 apache apache /usr/sbin/httpd
16483 16483 apache apache /usr/sbin/httpd
5982 5982 jon jon grep httpd

What this shows me is that although Apache was started as root (process 2434) it's running it's actual serving processes as user 'apache' group 'apache'.

Your results may be different.

You need to arrange for permissions that will allow the web server to write to the directories you need writable.

If you have root access, then the best way to do this is to change group ownership on these directories to "apache", and give them write access to apache.

chown foo usera:apache
chmod g+w foo

If you do not have root access, your only choice is to make the directory world writable:

chmod o+w foo

I think that makes sense. I was able to look at the ownership of the folder in question and the user is 'domain' and the group is 'psacln' whatever that means.

So do you recommend that I just change the group to apache? Does that then make that folder writable by any scripts running on my server?

Really depends on the details of your server. You have to see what group your httpd is running as. Also depends on your CMS. While most CMSs today use mod_php and so would be typically be running on the same user/group as httpd, there are various schemes to run them as another user. And some CMSs run as a seperate server, with your Apache acting as a proxy. In that case, you'd be able to just run the CMS under the domain's user, which is a more secure way to go in any case.

BTW, you can use chgrp rather than chown with user:group.
So, just "chgrp foo apache".

chmod o+w is the universal fix, but it makes me cringe.

Now is httpd a directory? I see it in my /etc folder.

I've found that the httpd directory belongs to user 'root' and group 'root'. So would you then recommend that I change the group for the directory in question to 'root'?

What's actually a little confusing to me though, is that the CMS can save files to this directory, but cannot create folders.

httpd is a process - your web server. Use the 'ps' command I gave above to find out the effective user and group for your web server.

The ownership of the httpd directory won't tell you that.

If it can write files, but can't creat new ones, you need to add 'execute' permission to the directory. On a directory, 'execute' doesn't mean 'execute'. It means 'create new files'. I know, it's confusing!

What are the permissions on the directory you are having trouble with?

"ls -la foo"

You really need to read up a bit on Linux file permissions, users, groups, "ls", "chown", "chgrp", "chmod", etc.

I've read up on these, and I have a better understanding of what permissions and owners are and how to change them, I'm struggling to understand how permissions and CMSes work together.

All the public folders and files that my CMS saves to the server get saved to a folder called domain.com/files. This folder has the permission 777, and I don't believe that the CMS can currently write to it otherwise. Obviously, I want to give as little permission out as possible. I basically just need the CMS to be able to read and write to it, and the public to be able to read it.

So is my CMS able to write to it only when it's chmoded 777 because the CMS isn't the owner or of the same group as /files?

So is my CMS able to write to it only when it's chmoded 777 because the CMS isn't the owner or of the same group as /files?

Correct.

You need to know the effective user/group of the CMS. That is, what user and group are the CMS running as? This may or may not be the user/group of the CMSs executable files. This may or may not be inherited from the effect user/group of the webserver.

It depends on your particular CMS, and your particular site configuration.

All web server have to start out running as "root". This is because it's the only way they can bind to port 80, a privileged port.

But it's dangerous to have your web server running as "root"! Imagine the potential carnage if sometime goes wrong, somebody breaks-in with an exploit, etc.

So, web servers typically set-up the port, then spawn a process (or typically, several) running under a different effective user/group. Typically, this might be "apache/apache" or "nobody/nobody".

Virtual servers are sometimes set-up so that the effective user/group is switched depending on the site being served. But there are messy complications, so this isn't done thta often.

Further, there are schemes to run CGI scripts under different users/groups. This adds a bit more security, as it is possible to run EACH CGI program under it's OWN user/group, further isolating potential security problems. Again, there are complications, and this is really not often done.

Finally, not all CMSs run as CGI scripts or in-process in the web server. Some are run in a completely seperate server, on a different port, typically bound only to localhost. The web server is configured to proxy requests to the CMS server. Such CMSs do typically run under their own user/group.

If you want to tighten-up security so that you don't have to make these directories 777, then you need to find out just how your CMS is configured. i.e. what user/group does it run as?

You did mention your CMS (Drupal) so we can narrow this down. Drupal uses mod_php to run in-process in the webserver. While it's possible in mod_php to run under different users for different virtual sites, again we get back to "but there are complications", so it's unlikely that's how it's configured. So, you need to see what user/group your webserver runs as. This is easy to determine using "ps".