You could use ACL. To set up ACL for Ubuntu 10.10, first mount the file systems with the acl option in /etc/fstab.
sudo vim /etc/fstab
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 defaults,acl 0 1
sudo mount -o remount,acl /
Then make a group to which a user may belong for this purpose.
sudo groupadd developers
sudo usermod -a -G developers $username
The user needs to log out and in again to become a member of the developers group.
Of course, do not do this if you have content in the /var/www directory that you want,
but just to illustrate setting it up to start:
sudo rm -rf /var/www
sudo mkdir -p /var/www/public
sudo chown -R root.developers /var/www/public
sudo chmod 0775 /var/www/public
sudo chmod g+s /var/www/public
sudo setfacl -d -m u::rwx,g::rwx,o::r-x /var/www/public
Then replace references to "/var/www" with "/var/www/public" in a config file and reload.
sudo vim /etc/apache2/sites-enabled/000-default
sudo /etc/init.d/apache2 reload
If we wanted to restrict delete and rename from all but the user who created the file:
sudo chmod +t /var/www/public
This way, if we want to create directories for frameworks that exist outside the
Apache document root or maybe create server-writable directories, it's still easy.
Apache-writable logs directory:
sudo mkdir /var/www/logs
sudo chgrp www-data /var/www/logs
sudo chmod 0770 /var/www/logs
Apache-readable library directory:
sudo mkdir /var/www/lib
sudo chgrp www-data /var/www/lib
sudo chmod 0750 /var/www/lib
I'd recommend setting it to be owned by james:james
.
Alternatively, you could leave it as root:root
and requite sudo
for anybody deploying files in there, but if you are directly working in the /var/www directory (rather than working somewhere else and pushing the files there) that may not be convenient, and it won't work with FTP either.
You can set the owner of /var/www to whatever you like, as long as the www-data
user has read access. You can achieve this by setting permissions to allow world read access (as is default).
By default, it is owned by root:root
(not www-data
as you state in the question).
For security, it is not a good idea to set it to be owned by www-data
. www-data
is intended to be an unprivileged account which cannot write to any files, and can only read them.
Yes, occasionally you may need to give www-data
the permission to write to a given file, but for security this should be strictly limited to those particular files, and precautions should be taken such as making sure no such files are executable as scripts by the web server (ie they are not in a location where they may be interpreted as PHP or CGI files), etc.
For security, it is an even worse idea to set the file permissions to world-writable (eg, 777). Unprivileged users such as www-data
should not be able to write to files in this directory. The only people who need write access will be the people who are actually writing files in there.
The /var/www directory is intended to be yours to do with what you like. It makes sense to set ownership to whichever account will be editing the files. You can create a group for this purpose if you have multiple people, but in this case it's just you.
Note: if creating a group, create a new group. Do not re-use the www-data
group as that is intended to be an unprivileged group without write access to any files (as I explain above).
Too often I see people recommending adopting very bad security practices such as setting /var/www to be owned by www-data
, or adding people to the www-data
group in order to give that group editing privileges, or setting /var/www to be world-writable (eg 777). By doing any of this you are potentially opening yourself up to significant security problems.
Best Answer
This is bad practice, but hopefully you are just using this for development, or you have another good reason. You can specify the permissions when you create a directory using the
-m
option:Or you can set the permissions recursively.
Before using either of these, really consider if you want your filesystem to be so accessible.
Edit: As mentioned by Rinzwind here is a better way of accomplishing what you want.
Check what group owns your
/var/www
directory and add your user to that group.The group is probably
www-data
.Then you will be OK with setting your permissions to 775.