Ubuntu – How to chmod 777 all subfolders of /var/www

You could use ACL. To set up ACL for Ubuntu 10.10, first mount the file systems with the acl option in /etc/fstab.

sudo vim /etc/fstab

UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 defaults,acl 0 1

sudo mount -o remount,acl /

Then make a group to which a user may belong for this purpose.

sudo groupadd developers
sudo usermod -a -G developers $username

The user needs to log out and in again to become a member of the developers group.

Of course, do not do this if you have content in the /var/www directory that you want, but just to illustrate setting it up to start:

sudo rm -rf /var/www
sudo mkdir -p /var/www/public
sudo chown -R root.developers /var/www/public
sudo chmod 0775 /var/www/public
sudo chmod g+s /var/www/public
sudo setfacl -d -m u::rwx,g::rwx,o::r-x /var/www/public

Then replace references to "/var/www" with "/var/www/public" in a config file and reload.

sudo vim /etc/apache2/sites-enabled/000-default
sudo /etc/init.d/apache2 reload

If we wanted to restrict delete and rename from all but the user who created the file:

sudo chmod +t /var/www/public

This way, if we want to create directories for frameworks that exist outside the Apache document root or maybe create server-writable directories, it's still easy.

Apache-writable logs directory:

sudo mkdir /var/www/logs
sudo chgrp www-data /var/www/logs
sudo chmod 0770 /var/www/logs

Apache-readable library directory:

sudo mkdir /var/www/lib
sudo chgrp www-data /var/www/lib
sudo chmod 0750 /var/www/lib

I'd recommend setting it to be owned by james:james.

Alternatively, you could leave it as root:root and requite sudo for anybody deploying files in there, but if you are directly working in the /var/www directory (rather than working somewhere else and pushing the files there) that may not be convenient, and it won't work with FTP either.

You can set the owner of /var/www to whatever you like, as long as the www-data user has read access. You can achieve this by setting permissions to allow world read access (as is default).

By default, it is owned by root:root (not www-data as you state in the question).

• For security, it is not a good idea to set it to be owned by www-data. www-data is intended to be an unprivileged account which cannot write to any files, and can only read them.

  Yes, occasionally you may need to give www-data the permission to write to a given file, but for security this should be strictly limited to those particular files, and precautions should be taken such as making sure no such files are executable as scripts by the web server (ie they are not in a location where they may be interpreted as PHP or CGI files), etc.

• For security, it is an even worse idea to set the file permissions to world-writable (eg, 777). Unprivileged users such as www-data should not be able to write to files in this directory. The only people who need write access will be the people who are actually writing files in there.

• The /var/www directory is intended to be yours to do with what you like. It makes sense to set ownership to whichever account will be editing the files. You can create a group for this purpose if you have multiple people, but in this case it's just you.

  Note: if creating a group, create a new group. Do not re-use the www-data group as that is intended to be an unprivileged group without write access to any files (as I explain above).

Too often I see people recommending adopting very bad security practices such as setting /var/www to be owned by www-data, or adding people to the www-data group in order to give that group editing privileges, or setting /var/www to be world-writable (eg 777). By doing any of this you are potentially opening yourself up to significant security problems.