Question

Discussion about permissions for web folders

  • Posted November 29, 2014

This is a question that I have seen several discussions about, but am still not sure what the best solution is:

What is the best way to set up users and groups for web folders?

For the sake of this discussion: *I use Ubuntu and Apache *My web-folder is /var/www/mydomain.com *Apache default user is www-data and www-data group *my user is me, adam

Currently, I do this:

add my user to www-data group with:

sudo usermod -aG www-data $USER

and then I just add a symlink for www to my users home folder with:

ln -s /var/www  ~/

Now when I sftp into my users home-folder, I can just click through to www and I have enough permissions to edit files and such. If I create new files, I have to remember to run:

sudo chown -R www-data:www-data /var/www

Doing that sets the new files to be owned by www-data. Everything works and the internet is happy.

I have been thinking of trying something a little different. What if I set www-data as the default group for adam.

sudo useradd adam -g www-data

And then set adam as the owner of /var/www and www-data as the group

sudo chown -R adam:www-data /var/www

In theory, Apache user www-data will still be able to do its thing, but adam will be the owner, and when I log in as adam I can create new files without having to worry about updating permissions all the time.

Anyone have a better way of handling users? Thoughts on my approach?

Subscribe
Share

I just use this :

sudo adduser <username> www-data sudo chown -R www-data:www-data /var/www sudo chmod -R g+rwX /var/www

and I do the same thing that you about the symlink

ln -s /var/www/html/ ww

I just use this :

sudo adduser <username> www-data sudo chown -R www-data:www-data /var/www sudo chmod -R g+rwX /var/www

and I do the same thing that you about the symlink

ln -s /var/www/html/ ww

I just use this :

sudo adduser <username> www-data sudo chown -R www-data:www-data /var/www sudo chmod -R g+rwX /var/www

and I do the same thing that you about the symlink

ln -s /var/www/html/ ww

I just use this :

sudo adduser <username> www-data sudo chown -R www-data:www-data /var/www sudo chmod -R g+rwX /var/www

and I do the same thing that you about the symlink

ln -s /var/www/html/ ww

I just use this :

sudo adduser <username> www-data sudo chown -R www-data:www-data /var/www sudo chmod -R g+rwX /var/www

and I do the same thing that you about the symlink

ln -s /var/www/html/ ww

just realized that my commands are wrong. Instead of useradd, I should be using usermod:

sudo usermod adam -g www-data

which will change adam’s default group to www-data


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Thanks for sharing!

To follow up on this old post, I would like to say that I no longer use the above method that I outlined. I found a post: http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

that outlines a much better method, that only takes a few minutes to set up and solves many of the issues I was having.

To follow up on this old post, I would like to say that I no longer use the above method that I outlined. I found a post: http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

that outlines a much better method, that only takes a few minutes to set up and solves many of the issues I was having.

To follow up on this old post, I would like to say that I no longer use the above method that I outlined. I found a post: http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

that outlines a much better method, that only takes a few minutes to set up and solves many of the issues I was having.

To follow up on this old post, I would like to say that I no longer use the above method that I outlined. I found a post: http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

that outlines a much better method, that only takes a few minutes to set up and solves many of the issues I was having.

To follow up on this old post, I would like to say that I no longer use the above method that I outlined. I found a post: http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

that outlines a much better method, that only takes a few minutes to set up and solves many of the issues I was having.

For nginx, www-data is the user for the nginx worker process. So great, let’s create a group with access, and put www-data in the group.

sudo groupadd webaccess sudo usermod -a -G webaccess www-data sudo chown -R adam:webaccess /var/www/mycontent sudo chmod -R 750 /var/www/mycontent #intent: only adam and nginx can access

In theory, adam should have access since he is the owner. nginx should have access since www-data is in a group with r-x access. But no! I have to set permissions for other to r-x: sudo chmod -R 755 /var/www/mycontent for web pages in /var/www/mycontent to be served by nginx.

I don’t get it!

very helpful! link posted was the best solution for me!

To continue this discussion with myself…

Another question has come up: What if you want to give other people their own account on your server so they could access their web-folder. (if you were running multiple sites on your server).

Here is what I have come up with so far. I would love to get some feedback from some of the pros:

SIMPLE APPROACH For this example, lets say you want to set up an account for your friend named Mark. He has a website on your server, and you want him to be able to access his web-folder so he can add/edit/delete files and folders.

Create a user for Mark, and add www-data as his default group:

      sudo adduser mark

answer all the questions, give a password, etc. Now you have a user named Mark, and there should be a new directory created in /home/mark

Next, lets change marks default group:

    sudo usermod mark -g www-data

So now mark is a primary member of the www-data gang. You can check that with:

     id mark

Now lets add a symlink to marks home folder that will get him to his web-folder. Let’s say his web-folder is: /var/www/marksite.com

     sudo ln -s /var/www/marksite.com  /home/mark/marksite.com

Now mark will have a folder (actually a symlink) in his home directory that will take him straight to his web-folder. Since mark is a member of www-data, he should have full access to his files.

pros: * simple to set up *any files mark creates will be accessible to the web-server, since they will be automatically created under the group www-data *any files that www-data might create (like when updating Wordpress automatically) will be accessible by mark

cons:

*if mark is malicious and knows what he is doing, he could possibly access other web-folders on the system *if mark is careless and gives out his password and login, other people could get in and access your web-folders

Slightly more secure…

The only problem with the above setup, is that if mark is tech-savvy, he also has access to all other www-data files (other people’s websites on your server) . Also, if mark is not careful and gives out his account info to a hacker, then that hacker could access other web files and folders, since mark is a member of www-data. We should probably limit mark to only his web-files. so:

Create a user for Mark, and add www-data as his default group:

      sudo adduser mark

answer all the questions, give a password, etc. Now you have a user named Mark, and there should be a new directory created in /home/mark Next, lets add www-data user to marks group:

    sudo usermod -aG mark www-data
So now www-data is a member of marks gang. You can check that with:
     id www-data

Now lets add a symlink to marks home folder that will get him to his web-folder. Let’s say his web-folder is: /var/www/marksite.com

     sudo ln -s /var/www/marksite.com  /home/mark/marksite.com

Now mark will have a folder (actually a symlink) in his home directory that will take him straight to his web-folder. We need to change permissions on that folder so mark is the owner, but www-data group still has access:

     sudo chown -R mark:mark /var/www/marksite.com
     sudo chmod -R 775 /var/www/marksite.com

Now mark can access his files, and www-data can still have access to stuff in there, since we added www-data to marks group.

pros:

  • more secure since mark is limited to that single web-folder
  • www-data can still access everything

cons: *if www-data creates a file, like when updating Wordpress, or doing some function that generates a file, mark will not have access to that file. You might need to run:

   sudo chown -R mark:mark  /var/www/marksite.com

which will restore permissions to mark. However, I think this will be infrequent, and the pay-off in security worth the extra effort.