Linux – How to give files and directories created by FTP the correct permissions for Apache to read and write them

apache-http-serverdebianftplinux

I'm more a Windows person, so please excuse my ignorance with this basic Linux question.

I am looking after a Linux (Debian) server which only has Apache2 and vsftp installed on it.

What is happening is that I am having a constant battle with who owns files and folders and can't seem to get it right.

This is my understanding so far:

  • www-data user needs ownership of folders and files as all of the files under /var/www/html run scripts which require them to write to their folder. And of course it needs to be able to serve the pages via http.
  • My ftp user (lets call it ftpuser) also requires permission to write to the /var/www/html folder (recursive) as I need to be able to upload new files.

With this in mind I have created a group called ftpandwww and have chowned all the folders and files to this group. This has worked to a degree…

I'm nearly in the right place, except for the fact that any new folders created using my FTP client have the wrong permissions (which I can correct by changing them under FTP client), but then www-data can't write to them because they are owned by ftpuser and I end up having to SSH in and running a chown to ftpandwww group so that they are both happy.

How do I make all the new folders that I create under FTP have the correct permissions (774) and be automatically owned by ftpandwww group to that I can upload and serve via web (with write permissions) without having to go in and chown all the new folders and files each time?

Best Answer

Use SetGID permissions on the web root directory, and propagate them to the children.

When you apply SetGID on a directory, all new items in that directory will be created with the same group their parent has, regardless of the user's default group membership.

To apply SetGID to a filesystem object, use chmod with a 2 in front of the permission code.
(eg: 740 => 2740).

I use SetGID on many of my Samba shares, so that files always have the ownergroup Users and any member of the group can read the files (I usually use 2750 so that only the owner user can write to the file).

In your case, run something like this (replace XXX with your desired permissions):

sudo chown -R  root:ftpandwww /var/www
sudo chmod -R 2XXX /var/www

Then new files and folders will come out with ownership like ftpuser:ftpandwww.

Edit:

Depending on your usecase, SetGID is likely enough to solve your issue, but if you have continuing issues where one or the other user is denied write, due to an incorrect group permission (but ownership is right), then your best bet is to set a custom UMASK for the user that creates the files.

If you have difficulty setting the UMASK for the user (because it is a daemon), check this thread on options for setting a daemon-user's UMASK.

I would recommend the mask 007 if you want group members to be able to write and delete files, and no privileges to non-owners.

Related Question