Added "What are the recommended file and folder permissions for Privatebin?"

FAQ.md

@@ -21,6 +21,7 @@ Please have a look at these questions *before* opening an issue in this repo.
   * [How to make PrivateBin work on my Android phone with data saver mode?](#user-content-how-to-make-privatebin-work-on-my-android-phone-with-data-saver-mode)
   * [How to make PrivateBin work when using Cloudflare for DDoS protection?](#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection)
   * [How to make PrivateBin work when I have changed some JavaScript files?](#user-content-how-to-make-privatebin-work-when-i-have-changed-some-javascript-files)
+  * [What are the recommended file and folder permissions for Privatebin?](#what-are-the-recommended-file-and-folder-permissions-for-privatebin)
 
 ## General
 
@@ -211,4 +212,38 @@ Similarly, if you encounter problems with `email-decode.min.js` you've enabled "
 
 When changing the JS files (or adding new ones) you need to [regenerate the SRI hashes](https://github.com/PrivateBin/PrivateBin/wiki/Development#subresource-integrity-for-javascript-resources) in your template, so that they match the updated files.
 
-If you didn't change the JS files intentionally, there might be someone/something interfering with these files. Most likely this is a (reverse) proxy, such as Cloudflare, certain VPNs, data saver modes in your client, etc. Try to use it from a different internet connection and a different device to figure out what is manipulating the files and if you can disable/circumvent it.
+If you didn't change the JS files intentionally, there might be someone/something interfering with these files. Most likely this is a (reverse) proxy, such as Cloudflare, certain VPNs, data saver modes in your client, etc. Try to use it from a different internet connection and a different device to figure out what is manipulating the files and if you can disable/circumvent it.
+
+
+
+### What are the recommended file and folder permissions for Privatebin?
+
+Depending on your setup, the PHP process may run under a different user then the web server. Here are a few common setup scenarios:
+
+1. "Classic" Apache web server with mod_php - In this case PHP scripts are run as child-processes of the apache server and as the same user as the apache server. Since there is only one user in this scenario that needs access, one could go with just owner level permissions (0600 instead of 0640 for example).
+
+2. Any webserver, PHP runs as (fast)cgi or PHP-FPM (fast process manager) process - here the webserver and PHP may run in separate users. This is very common on shared hosters, where each customers PHP scripts are run in their own user, so that they can't read other customers files, etc. For this setup to work, the owner needs to be set to the same as the php process (usually not something that you can change on a share hoster) and the group needs to be set to a group the web servers user is in.
+
+The permissions need to look like this:
+
+* Directories: 0550 (read-only for owner and group, not accessible for others)
+* Data directory: 0750 (writeable for owner, read-only for group, not accessible for others)
+* Files: 0640 (writeable for owner, read-only for group, not accessible for others), created files get these permissions automatically
+
+For most setups it is also possible to use the following script. Make sure to edit the users and folders where necessary.
+
+```#!/bin/bash
+pbpath='/var/www/privatebin'
+pbdata='/var/www/privatebin/data'
+htuser='www-data'
+htgroup='www-data'
+rootuser='root'
+
+printf "chmod Files and Directories\n"
+find ${pbpath}/ -type f -print0 | xargs -0 chmod 0640
+find ${pbpath}/ -type d -print0 | xargs -0 chmod 0550
+find ${pbdata}/ -type f -print0 | xargs -0 chmod 0640
+find ${pbdata}/ -type d -print0 | xargs -0 chmod 0750
+
+printf "chown Directories\n"
+chown -R ${rootuser}:${htgroup} ${pbpath}/```