Ubuntu – Best way to configure apache2 access rights

I'd recommend setting it to be owned by james:james.

Alternatively, you could leave it as root:root and requite sudo for anybody deploying files in there, but if you are directly working in the /var/www directory (rather than working somewhere else and pushing the files there) that may not be convenient, and it won't work with FTP either.

You can set the owner of /var/www to whatever you like, as long as the www-data user has read access. You can achieve this by setting permissions to allow world read access (as is default).

By default, it is owned by root:root (not www-data as you state in the question).

• For security, it is not a good idea to set it to be owned by www-data. www-data is intended to be an unprivileged account which cannot write to any files, and can only read them.

  Yes, occasionally you may need to give www-data the permission to write to a given file, but for security this should be strictly limited to those particular files, and precautions should be taken such as making sure no such files are executable as scripts by the web server (ie they are not in a location where they may be interpreted as PHP or CGI files), etc.

• For security, it is an even worse idea to set the file permissions to world-writable (eg, 777). Unprivileged users such as www-data should not be able to write to files in this directory. The only people who need write access will be the people who are actually writing files in there.

• The /var/www directory is intended to be yours to do with what you like. It makes sense to set ownership to whichever account will be editing the files. You can create a group for this purpose if you have multiple people, but in this case it's just you.

  Note: if creating a group, create a new group. Do not re-use the www-data group as that is intended to be an unprivileged group without write access to any files (as I explain above).

Too often I see people recommending adopting very bad security practices such as setting /var/www to be owned by www-data, or adding people to the www-data group in order to give that group editing privileges, or setting /var/www to be world-writable (eg 777). By doing any of this you are potentially opening yourself up to significant security problems.

This guy Tom deserves a medal for this post on ServerFault

Setting group ID the way he explains made it work!

Attempting to expand on @Zoredache's answer, as I give this a go myself:

• Create a new group (www-pub) and add the users to that group

  groupadd www-pub 
  usermod -a -G www-pub usera    # must use -a to append to existing groups
  usermod -a -G www-pub userb
  groups usera    ## display groups for user
  

• Change the ownership of everything under /var/www to root:www-pub

  chown -R root:www-pub /var/www    # -R for recursive
  

• Change the permissions of all the folders to 2775

   chmod 2775 /var/www 
  

  2=set group id, 7=rwx for owner (root), 7=rwx for group (www-pub), 5=rx for world (including apache www-data user)

  Set group ID (SETGID) bit (2) causes the group (www-pub) to be copied to all new files/folders created in that folder. Other options are SETUID (4) to copy the user id, and STICKY (1) which I think lets only the owner delete files.

  There's a -R recursive option, but that won't discriminate between files and folders, so you have to use find, like so:

  find /var/www -type d -exec chmod 2775 {} +
  

• Change all the files to 0664

  find /var/www -type f -exec chmod 0664 {} +
  

• Change the umask for your users to 0002

  The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by editing the umask line at the bottom of /etc/profile in my case) means files created by one user will be writable by other users in the www-group without needing to chmod them.

Test all this by creating a file and directory and verifying the owner, group and permissions with ls -l.

Note: You'll need to logout/in for changes to your groups to take effect!