Discussion about permissions for web folders

November 29, 2014 28.5k views

This is a question that I have seen several discussions about, but am still not sure what the best solution is:

What is the best way to set up users and groups for web folders?

For the sake of this discussion:
*I use Ubuntu and Apache
*My web-folder is /var/www/mydomain.com
*Apache default user is www-data and www-data group
*my user is me, adam

Currently, I do this:

add my user to www-data group with:

sudo usermod -aG www-data $USER

and then I just add a symlink for www to my users home folder with:

ln -s /var/www  ~/

Now when I sftp into my users home-folder, I can just click through to www and I have enough permissions to edit files and such. If I create new files, I have to remember to run:

sudo chown -R www-data:www-data /var/www

Doing that sets the new files to be owned by www-data. Everything works and the internet is happy.

I have been thinking of trying something a little different. What if I set www-data as the default group for adam.

sudo useradd adam -g www-data

And then set adam as the owner of /var/www and www-data as the group

sudo chown -R adam:www-data /var/www

In theory, Apache user www-data will still be able to do its thing, but adam will be the owner, and when I log in as adam I can create new files without having to worry about updating permissions all the time.

Anyone have a better way of handling users? Thoughts on my approach?

2 comments
  • just realized that my commands are wrong. Instead of useradd, I should be using usermod:

    sudo usermod adam -g www-data
    

    which will change adam's default group to www-data

  • I just use this :

    sudo adduser <username> www-data
    sudo chown -R www-data:www-data /var/www
    sudo chmod -R g+rwX /var/www

    and I do the same thing that you about the symlink

    ln -s /var/www/html/ ww

4 Answers

To follow up on this old post, I would like to say that I no longer use the above method that I outlined.
I found a post:
http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

that outlines a much better method, that only takes a few minutes to set up and solves many of the issues I was having.

To continue this discussion with myself...

Another question has come up: What if you want to give other people their own account on your server so they could access their web-folder. (if you were running multiple sites on your server).

Here is what I have come up with so far. I would love to get some feedback from some of the pros:

SIMPLE APPROACH
For this example, lets say you want to set up an account for your friend named Mark. He has a website on your server, and you want him to be able to access his web-folder so he can add/edit/delete files and folders.

Create a user for Mark, and add www-data as his default group:

      sudo adduser mark

answer all the questions, give a password, etc. Now you have a user named Mark, and there should be a new directory created in /home/mark

Next, lets change marks default group:

    sudo usermod mark -g www-data

So now mark is a primary member of the www-data gang. You can check that with:

     id mark

Now lets add a symlink to marks home folder that will get him to his web-folder. Let's say his web-folder is: /var/www/marksite.com

     sudo ln -s /var/www/marksite.com  /home/mark/marksite.com

Now mark will have a folder (actually a symlink) in his home directory that will take him straight to his web-folder. Since mark is a member of www-data, he should have full access to his files.

pros:
* simple to set up
*any files mark creates will be accessible to the web-server, since they will be automatically created under the group www-data
*any files that www-data might create (like when updating Wordpress automatically) will be accessible by mark

cons:

*if mark is malicious and knows what he is doing, he could possibly access other web-folders on the system
*if mark is careless and gives out his password and login, other people could get in and access your web-folders

Slightly more secure...

The only problem with the above setup, is that if mark is tech-savvy, he also has access to all other www-data files (other people's websites on your server) . Also, if mark is not careful and gives out his account info to a hacker, then that hacker could access other web files and folders, since mark is a member of www-data. We should probably limit mark to only his web-files. so:

Create a user for Mark, and add www-data as his default group:

      sudo adduser mark

answer all the questions, give a password, etc. Now you have a user named Mark, and there should be a new directory created in /home/mark
Next, lets add www-data user to marks group:

    sudo usermod -aG mark www-data
So now www-data is a member of marks gang. You can check that with:
     id www-data

Now lets add a symlink to marks home folder that will get him to his web-folder. Let's say his web-folder is: /var/www/marksite.com

     sudo ln -s /var/www/marksite.com  /home/mark/marksite.com

Now mark will have a folder (actually a symlink) in his home directory that will take him straight to his web-folder. We need to change permissions on that folder so mark is the owner, but www-data group still has access:

     sudo chown -R mark:mark /var/www/marksite.com
     sudo chmod -R 775 /var/www/marksite.com

Now mark can access his files, and www-data can still have access to stuff in there, since we added www-data to marks group.

pros:

  • more secure since mark is limited to that single web-folder
  • www-data can still access everything

cons:
*if www-data creates a file, like when updating Wordpress, or doing
some function that generates a file, mark will not have access to that
file. You might need to run:

   sudo chown -R mark:mark  /var/www/marksite.com

which will restore permissions to mark. However, I think this will be infrequent, and the pay-off in security worth the extra effort.

very helpful! link posted was the best solution for me!

Have another answer? Share your knowledge.