Did you check that he has execute permission to the parent directories ? Otherwise it won't work.
More precisely, along the path a user takes to reference a filesystem object, all directories in-between must have execute permission set for him. In practice, it will often be better to give the read permission as well, since giving only the execute permission would work only if the accessing user progresses to the desired directory without being able to look into those intermediate directories, which is not how things go when using a file manager or shell completion (tab), for example.
If you don't mind everybody else having read+exec access to the parent directories, you may be happy with a chmod o+rx
on those directories, or you will have to chgrp
those directories as well and chmod g+rx
.
Or... OR... you can use... POSIX ACLs !
You can use the setfacl
and getfacl
commands, or use Eiciel (apt install eiciel
), the gnome file ACL editor, to set those ACLs. Among other things, POSIX ACLs enable granting/revoking rights to specific users and groups, not having to stick to the traditional UNIX "ugo" permission model. More in the NTFS way, if you don't find the comparison too obscene.
man acl
may help you, but man setfacl
seems more interesting, as it covers Linux-specific parts such as so-called default ACLs, that are inherited by filesystem objects created in a directory.
So for example, if you want to give user bob the "rwx" permissions on directory "work", with default (inherited) "r" permissions, type :
setfacl -m u:bob:rwx,d:u:bob:r work
You still have to give bob the read+execute permission on whatever directories he may have to cross to reach "work" though (if he doesn't have those rights already) :
setfacl -m u:bob:rx intermediate_directory
As a side note, POSIX ACLs are not new. I remember using them on a Digital Unix system more than twenty years ago. However, the system forgot resetting those ACLs on TTY allocation/deallocation, only the traditional rights, which enabled a few exploits in those old times when device files were statically created...
EDIT : Instead of having to give +rx rights on intermediate directories, you can remount the target directory somewhere else on the filesystem. Let's suppose you have a directory "work", whose absolute path is /x/y/z/work, and you don't want to modify the rights on x, y or z. You can create a /shared/work directory, and remount /x/y/z/work there, using :
mkdir -p /shared/work
mount --bind /x/y/z/work /shared/work
That wouldn't survive across reboots though, so in case you want it to persist, append the following line to /etc/fstab :
/x/y/z/work /shared/work none bind
Doing that will make the work directory contents reachable through /x/y/z/work and /shared/work as well.
But of course, if you don't mind moving /x/y/z/work to some other place :
mkdir /shared
mv /x/y/z/work /shared
is the simplest and best way.
Best Answer
Your process has its group list set at login time, so you would need to log in again for the change to take effect.
I would also suggest that you add
www-data
as a supplementary group rather than the primary one (which is set to a group only you are a member of. You should be able to do this with the following commands:If you want files you create to be readable by other members of the
www-data
group, adjust your umask accordingly:Since your primary group membership is a personal group, this shouldn't affect the security of files you create.
It is also worth setting the
setgid
bit on directories you'll be creating files in: this will cause files to inherit the group ownership of the parent directory: