Ubuntu – Apache permissions to allow both user and web server to edit /var/www

Apache2permissionsroot

For security reasons I would like to disable root access via ssh.

I created a new user (user1) with administrative permissions.

adduser user1
usermod -aG sudo user1

and assigned the /www directory to this user.

sudo chown -R $USER:$USER /var/www/
sudo chmod -R 755 /var/www

(My folders structure is www/site1.com, www/site2.com, etc.)

My sites need to write some files (such as sitemaps, rss feeds, etc.) so I set the permissions of the www directory to:

sudo chown -R www-data:www-data /var/www
sudo chmod -R 755 /var/www

Now, however, user user1 works perfectly via shell with the sudo command, but can no longer add/edit/delete files and folders in the /www directory and its subdirectories via sftp.

I read many guides, how to set up apache permissions to increase security, to share administration with other users, etc. etc. etc.

But I still did not understand how to solve my problem.

Currently to be able to handle files on my server via sftp I have to use the root user, with peace of mind for security.

Did I miss something about setting user or folders permissions?

Best Answer

It's possible to set different group and user access for files and directories, and this will allow both Apache and your user1 user to edit what's in /var/www without requiring root/sudo and without making anything world-writable.

So, set the "user" permission inside /var/www to user1. Set the "group" permission to www-data (but ONLY for the specific files or directories that the web server needs to write to).

sudo chown -R user1:user1 /var/www
sudo chgrp www-data /var/www/specific-file

You should avoid letting the web server write to the entire /var/www directory and its contents, instead giving the above group permission only to the specific files where this is necessary. It is a good security principle to limit the web server's access to write to files to only those files that it is strictly necessary for - and it is a good idea to try and ensure those files are not executed directly (aren't .php or other executable scripts, for example).

Related Solutions

Ubuntu – Default file permissions for php user www-data

You could use ACL. To set up ACL for Ubuntu 10.10, first mount the file systems with the acl option in /etc/fstab.

sudo vim /etc/fstab

UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 defaults,acl 0 1

sudo mount -o remount,acl /

Then make a group to which a user may belong for this purpose.

sudo groupadd developers
sudo usermod -a -G developers $username

The user needs to log out and in again to become a member of the developers group.

Of course, do not do this if you have content in the /var/www directory that you want, but just to illustrate setting it up to start:

sudo rm -rf /var/www
sudo mkdir -p /var/www/public
sudo chown -R root.developers /var/www/public
sudo chmod 0775 /var/www/public
sudo chmod g+s /var/www/public
sudo setfacl -d -m u::rwx,g::rwx,o::r-x /var/www/public

Then replace references to "/var/www" with "/var/www/public" in a config file and reload.

sudo vim /etc/apache2/sites-enabled/000-default
sudo /etc/init.d/apache2 reload

If we wanted to restrict delete and rename from all but the user who created the file:

sudo chmod +t /var/www/public

This way, if we want to create directories for frameworks that exist outside the Apache document root or maybe create server-writable directories, it's still easy.

Apache-writable logs directory:

sudo mkdir /var/www/logs
sudo chgrp www-data /var/www/logs
sudo chmod 0770 /var/www/logs

Apache-readable library directory:

sudo mkdir /var/www/lib
sudo chgrp www-data /var/www/lib
sudo chmod 0750 /var/www/lib

Ubuntu – Changing permissions for /var/www/html

In this case I would leave the directory ownership alone. To modify the permissions for that specific directory so that you can write to it, set read/write permissions, the command being sudo chmod 766 -R /var/www/html. This will assign full permissions 7 for the owner, read/write 6 for the group, and read/write for everyone 6, recursively.

Best Answer

Related Solutions

Ubuntu – Default file permissions for php user www-data

Ubuntu – Changing permissions for /var/www/html

Related Question