Usually, it is a bad idea to give write access to the account running the Web Server (www-data under Ubuntu).
For your scenario, I would change the owner of /var/www/html to the ftpuser with a read-write for him, read only for the group and the others. Apache needs at least to be able to read in this directory.
UPD: If you have more than one user to give access to, put them all in the same group, change the group ownership to this group and give the group read & write access too.
Security-wise, it is a bad idea to give Apache write access to all files he can access. If someone is able to do "nasty things" with your web server, at least he won't be able to change the files using Apache directly.
Don't forget to secure the installation of the FTP server you intend to use to let ftpuser upload files.
If Mediawiki needs to write on some files, I would give to these files only the read-write rights for the www-data user (by setting the owner of these files to www-data). If you cannot predict which files need to be writable by the web application, you'd better to isolate this application into a subfolder of ´/var/www/html´.
By experience, I know that when right access is needed on some of the file, usually the documentation of the application details exactly which ones.
This guy Tom deserves a medal for this post on ServerFault
Setting group ID the way he explains made it work!
Attempting to expand on @Zoredache's answer, as I give this a go
myself:
Create a new group (www-pub) and add the users to that group
groupadd www-pub
usermod -a -G www-pub usera # must use -a to append to existing groups
usermod -a -G www-pub userb
groups usera ## display groups for user
Change the ownership of everything under /var/www to root:www-pub
chown -R root:www-pub /var/www # -R for recursive
Change the permissions of all the folders to 2775
chmod 2775 /var/www
2=set group id, 7=rwx for owner (root), 7=rwx for group (www-pub), 5=rx for world (including apache www-data
user)
Set group ID (SETGID) bit (2) causes the group (www-pub) to be copied to all new files/folders created in that folder. Other
options are SETUID (4) to copy the user id, and STICKY (1) which I
think lets only the owner delete files.
There's a -R recursive option, but that won't discriminate between files and folders, so you have to use find, like so:
find /var/www -type d -exec chmod 2775 {} +
Change all the files to 0664
find /var/www -type f -exec chmod 0664 {} +
Change the umask for your users to 0002
The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by
editing the umask line at the bottom of /etc/profile in my case)
means files created by one user will be writable by other users in the
www-group without needing to chmod them.
Test all this by creating a file and directory and verifying the
owner, group and permissions with ls -l.
Note: You'll need to logout/in for changes to your groups to take
effect!
Best Answer
I'd recommend setting it to be owned by
james:james.Alternatively, you could leave it as
root:rootand requitesudofor anybody deploying files in there, but if you are directly working in the /var/www directory (rather than working somewhere else and pushing the files there) that may not be convenient, and it won't work with FTP either.You can set the owner of /var/www to whatever you like, as long as the
www-datauser has read access. You can achieve this by setting permissions to allow world read access (as is default).By default, it is owned by
root:root(notwww-dataas you state in the question).For security, it is not a good idea to set it to be owned by
www-data.www-datais intended to be an unprivileged account which cannot write to any files, and can only read them.Yes, occasionally you may need to give
www-datathe permission to write to a given file, but for security this should be strictly limited to those particular files, and precautions should be taken such as making sure no such files are executable as scripts by the web server (ie they are not in a location where they may be interpreted as PHP or CGI files), etc.For security, it is an even worse idea to set the file permissions to world-writable (eg, 777). Unprivileged users such as
www-datashould not be able to write to files in this directory. The only people who need write access will be the people who are actually writing files in there.The /var/www directory is intended to be yours to do with what you like. It makes sense to set ownership to whichever account will be editing the files. You can create a group for this purpose if you have multiple people, but in this case it's just you.
Note: if creating a group, create a new group. Do not re-use the
www-datagroup as that is intended to be an unprivileged group without write access to any files (as I explain above).Too often I see people recommending adopting very bad security practices such as setting /var/www to be owned by
www-data, or adding people to thewww-datagroup in order to give that group editing privileges, or setting /var/www to be world-writable (eg 777). By doing any of this you are potentially opening yourself up to significant security problems.