Ubuntu.com has pretty good serverguides, such as Apache guide. Where did you get your procedures you so carefully wrote down? I've never had to go to that much trouble for any of the servers I've set up, although I'm open to the possibility that I haven't been doing it right - also, I haven't actually install servers for anything that is very public, or very large, so there could be security holes that I don't know about.
However, I've never needed to be a member of the www-data group, and no source files in www are owned by www-data. My understanding is that this is used by Apache only for its own files, and it will not have write permissions to any of the other files itself, because in theory, no important files will allow www-data to have write permission. I'd guess that files owned by www-data would give read-only permission to everyone else, and nobody should have write permission to its files. I could be totally wrong, of course, and if I am, I hope someone will tell me and point me to actual documentation that explains differently (not to some forum where a random internet user like me has produced instructions that worked for him).
Perhaps I'm missing something, but your problem should be fairly straightforward. The user that is logged in using sftp needs to be a member of the group www-data, and the files you are trying to modify must have write permissions for the group www-data. It doesn't make sense to me that you can modify the files using ssh, but not using sftp; are you sure you are logging in to the same account for both? In sftp, you can enter commands such as !groups
to list your groups, or !whoami
to check what login name you are using. The results should match what you see using ssh (with the same commands minus the exclamation point).
You also should be able to use chmod, chown, chgrp from sftp if you have permission to do so.
By the way, I think your list has at least one pretty bad command:
sudo chmod -R g+rw /var/www
This gives the world write permission to every file and folder in /var/www. This sounds like a bad idea. Normally, only root has write permission to these directories, unless specific ones need more permission, usually only single directories.
Note: This was an error on my part. Thanks to DonalLafferty for pointing this out, that it specifies "g", not "a", so it only changes group permissions. My tired old eyes (or a bad font) must have read it as "a".
Edits for clarification
Normally, files created by Apache are read-only for both the www-data group and all other users, same as the root-owned files in /var/www. So, there should be no reason to make anyone a member of www-data. The issue is giving everyone write access, which is a different case. This should be done by making specific directories available within your site, and this is done simply by using chmod, either with sudo, since it is probably owned by root, or by making the owner yourself and not using sudo.
If you have more devs that need access to the entire site, that is when you want to make a user+group such as "webmasters", make it the owner of the site, give write permissions to that group, and make all devs members of that group. So the listing for the site directories would be something like:
drwxrwxr-x ## webmasters webmasters #### ####-##-## ##:## mysite.com
More Edits
I've since realized that you don't really need to create a user "webmasters", just a group. Then the files can be owned by root:webmasters, ie root is the owner, but webmasters is the group.
In answer to questions below, the files that Apache writes will be owned by www-data, and group www-data. These files are not normally something you write to, so non-members of www-data may have read-only access - I think it depends on the directory permissions. If you do need more than occasional write access, then adding yourself to the group might be useful. Usually you make specific directories world writable for content saved by Apache. Consider also that most shared web hosting running Apache without shell access would not even have a way to set up groups.
But, Apache can read files even owned by root. Almost all files have world-readable access, just not writable. So, unless you want to change this, Apache doesn't need to be in the webmasters group.
This is all basic Linux setup, not really Apache. Apache only cares about access from within the web server, and that's set by the config files. For this reason, the Ubuntu documentation link I included in my post should be considered a better source than a public wiki.
By the way, the O'Reilly Apache Cookbook says "Document directories, such as htdocs, cgi-bin, and icons, will have to have permissions set in a way that makes the
most sense for the development model of your particular web site, but under no circumstances should any of these directories or files contained in them be writable by the web server user."
Finally, using ACLs is a good way to set file permissions if you need more control. It may even be a good way to set them all the time, and is something I should investigate.
Ok, for point 1, the solution is quite easy:
chgrp developers /opt/dev
For points 2 and 3, I suppose you'll need ACL
. So, the first thing to do is to edit /etc/fstab
to give the option acl
to the mountpoint of /opt/dev
. If /opt/dev
is not on a separate partition you'll need to enable ACL
for the whole root filesystem.
Then you'll have to follow this answer.
chmod g+s /opt/dev
should be equivalent to chgrp developers /opt/dev
(and doesn't set the sticky
bit, s
sets the suid
bit).
Then proceed with setfacl
:
setfacl -d -m g::rwx /opt/dev //set group to rwx default
setfacl -d -m o::rx /opt/dev //set other
to set advanced permission criteria for files and directories. To be honest, I couldn't find a way to set separate file and directory permissions, but I'm pretty sure it's doable. You can try this tutorial to have more information about the topic.
Best Answer
As noted in the manpage for
chmod
with relation to permissions:The executable bit on a folder is explained above as a 'search' permission; i.e. the execute bit merely allows you to access the folder in a file browser or to move to the folder from the terminal by running the
cd
command or runningls ~/folder
to list the files in the folder.The folder must be executable for the owner, although the superuser would still be able to access the folder as when using
sudo
any file or directory can be accessed or deleted. In addition, directory and file permissions are explained further in this useful article at Stackoverflow.It is also important to note that 'executing' the folder doesn't mean you are actually running any code or commands like when a executable binary or script is run.
For a home Desktop user (though perhaps not for your server) most folders within
$HOME
have the execute permission set for user, group, and other if viewed withstat ~/myfolder
(excerpt below):The standard permissions for folders within
$HOME
are 755 or 775 and for files they are 644. However, the rest of the filesystem will differ. Again, folders must have the execute bit for the owner or they will not be able to be opened by him. It is important to be careful withchmod
when changing permissions and particularly when doing it recursively as the situation can quickly get messed up.For more information, see
man chmod
or the Ubuntu manpages online, and this article at Superuser.