What’s the best way of handling permissions for Apache 2’s user www-data in /var/www?

Attempting to expand on @Zoredache’s answer, as I give this a go myself:

  • Create a new group (www-pub) and add the users to that group

    groupadd www-pub

    usermod -a -G www-pub usera ## must use -a to append to existing groups

    usermod -a -G www-pub userb

    groups usera ## display groups for user

  • Change the ownership of everything under /var/www to root:www-pub

    chown -R root:www-pub /var/www ## -R for recursive

  • Change the permissions of all the folders to 2775

    chmod 2775 /var/www ## 2=set group id, 7=rwx for owner (root), 7=rwx for group (www-pub), 5=rx for world (including apache www-data user)

    Set group ID (SETGID) bit (2) causes the group (www-pub) to be copied to all new files/folders created in that folder. Other options are SETUID (4) to copy the user id, and STICKY (1) which I think lets only the owner delete files.

    There’s a -R recursive option, but that won’t discriminate between files and folders, so you have to use find, like so:

    find /var/www -type d -exec chmod 2775 {} +

  • Change all the files to 0664

    find /var/www -type f -exec chmod 0664 {} +

  • Change the umask for your users to 0002

    The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by editing the umask line at the bottom of /etc/profile in my case) means files created by one user will be writable by other users in the www-group without needing to chmod them.

Test all this by creating a file and directory and verifying the owner, group and permissions with ls -l.

Note: You’ll need to logout/in for changes to your groups to take effect!

Related Posts:

  1. Chmod 777 to a folder and all contents [duplicate]
  2. What is difference between arm64 and armhf?
  3. Uncompress tar.gz file
  4. screen Cannot open your terminal ‘/dev/pts/0’ – please check
  5. Bash script prints “Command Not Found” on empty lines
  6. python-dev installation error: ImportError: No module named apt_pkg
  7. Anyone else experiencing high rates of Linux server crashes during a leap second day?
  8. What permissions should my website files/folders have on a Linux webserver?
  9. How can I run Debian stable but install some packages from testing?
  10. What does a + mean at the end of the permissions from ls -l?
  11. How to list Apache enabled modules?
  12. List of files installed from apt package
  13. How to install/change locale on Debian?
  14. What limits the maximum number of connections on a Linux server?
  15. How can I export the privileges from MySQL and then import to a new server?
  16. Is it possible to reboot a Linux OS without rebooting the hardware?
  17. How do I redirect subdomains to a different port on the same server?
  18. What does “debconf: delaying package configuration, since apt-utils is not installed” mean?
  19. What should I do when I got the KEYEXPIRED error message after an apt-get update?
  20. What is the debian-sys-maint MySQL user (and more)?
  21. How should an IT department choose a standard Linux distribution?
  22. How to handle relative urls correctly with a reverse proxy
  23. What’s a .sh file?
  24. How to fix ‘sudo: no tty present and no askpass program specified’ error?
  25. How do I grep recursively?
  26. What does pss mean in /proc/pid/smaps
  27. apt-get error: Sub-process /usr/bin/dpkg returned an error code (1)
  28. How do I grep recursively?
  29. how to find libstdc++.so.6: that contain GLIBCXX_3.4.19 for RHEL 6?
  30. How to extract C source code from .so file?
  31. subprocess.Popen(): OSError: [Errno 8] Exec format error in python?
  32. How to substitute shell variables in complex text files
  33. “sed” command in bash
  34. How to exclude a directory in find . command
  35. How can I find all *.js file in directory recursively in Linux?
  36. Argument list too long error for rm, cp, mv commands
  37. Difference between using “chmod a+x” and “chmod 755”
  38. ssh: Could not resolve hostname [hostname]: nodename nor servname provided, or not known
  39. WSL – GEDIT Unable to init server: Could not connect: Connection refused
  40. Python subprocess.Popen “OSError: [Errno 12] Cannot allocate memory”
  41. Install tkinter for Python
  42. How to open some ports on Ubuntu?
  43. Given two directory trees, how can I find out which files differ by content?
  44. What does it mean to mount a file system in linux?
  45. curl: (6) Could not resolve host: google.com; Name or service not known
  46. -bash: fork: Cannot allocate memory
  47. Explanation of polkitd Unregistered Authentication Agent
  48. CentOS error – sudo: effective uid is not 0, is sudo installed setuid root?
  49. Merge / convert multiple PDF files into one PDF
  50. Bash script: bad interpreter
  51. PHP and mod_fcgid: ap_pass_brigade failed in handle_request_ipc function
  52. How to grep and replace
  53. What does “&” at the end of a linux command mean?
  54. How to recursively download a folder via FTP on Linux
  55. httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
  56. How do I write stderr to a file while using “tee” with a pipe?
  57. How to include file in a bash shell script
  58. Does Mac OS X use Linux?
  59. bash sh – command not found 
  60. Hosting multiple WordPress sites on single server – best practices?
  61. How can I sort du -h output by size
  62. What exactly do the colors in htop status bars mean?
  63. Showing total progress in rsync: is it possible?
  64. How to bind MySQL server to more than one IP address?
  65. Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server
  66. LVM dangers and caveats
  67. How to know from which yum repository a package has been installed?
  68. SSL Certificate Location on UNIX/Linux
  69. What is “-bash: !”: event not found”
  70. tar – Remove leading directory components on extraction
  71. Keeping a linux process running after I logout
  72. Force dig to resolve without using cache
  73. How to forcibly close a socket in TIME_WAIT?
  74. How to check if an RSA public / private key pair match
  75. Colors in bash after piping through less?
  76. How can I monitor hard disk load on Linux?
  77. Why does sudo command take long to execute?
  78. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  79. How to display certain lines from a text file in Linux?
  80. What’s the reverse DNS command line utility?
  81. Can you have more than one ~/.ssh/config file?
  82. How to add a security group to a running EC2 Instance?
  83. How bad is it really to install Linux on one big partition?
  84. How do I extract login history?
  85. How to force nginx to resolve DNS (of a dynamic hostname) everytime when doing proxy_pass?
  86. GPG does not have enough entropy
  87. SSH from A through B to C, using private key on B [closed]
  88. Why don’t EC2 ubuntu images have swap?
  89. SSHFS mount that survives disconnect
  90. Temporarily ignore my `~/.ssh/known_hosts` file?
  91. Does the “bs” option in “dd” really improve the speed?
  92. How to get TX/RX bytes without ifconfig?
  93. What solutions exist to allow the use of revision control for server configuration files? [closed]
  94. Curl: disable certificate verification
  95. Is there a way to do a remote “ls” much like “scp” does a remote copy?
  96. How to apply a filter to real time output of `tail -f `?
  97. Practical maximum open file descriptors (ulimit -n) for a high volume system
  98. Dump a linux process’s memory to file
  99. What is the difference between /sbin/nologin and /bin/false?
  100. Where’s the conventional place to store git repositories in a linux file system tree?

Leave a Comment