Ubuntu.com has pretty good serverguides, such as Apache guide. Where did you get your procedures you so carefully wrote down? I've never had to go to that much trouble for any of the servers I've set up, although I'm open to the possibility that I haven't been doing it right - also, I haven't actually install servers for anything that is very public, or very large, so there could be security holes that I don't know about.
However, I've never needed to be a member of the www-data group, and no source files in www are owned by www-data. My understanding is that this is used by Apache only for its own files, and it will not have write permissions to any of the other files itself, because in theory, no important files will allow www-data to have write permission. I'd guess that files owned by www-data would give read-only permission to everyone else, and nobody should have write permission to its files. I could be totally wrong, of course, and if I am, I hope someone will tell me and point me to actual documentation that explains differently (not to some forum where a random internet user like me has produced instructions that worked for him).
Perhaps I'm missing something, but your problem should be fairly straightforward. The user that is logged in using sftp needs to be a member of the group www-data, and the files you are trying to modify must have write permissions for the group www-data. It doesn't make sense to me that you can modify the files using ssh, but not using sftp; are you sure you are logging in to the same account for both? In sftp, you can enter commands such as !groups
to list your groups, or !whoami
to check what login name you are using. The results should match what you see using ssh (with the same commands minus the exclamation point).
You also should be able to use chmod, chown, chgrp from sftp if you have permission to do so.
By the way, I think your list has at least one pretty bad command:
sudo chmod -R g+rw /var/www
This gives the world write permission to every file and folder in /var/www. This sounds like a bad idea. Normally, only root has write permission to these directories, unless specific ones need more permission, usually only single directories.
Note: This was an error on my part. Thanks to DonalLafferty for pointing this out, that it specifies "g", not "a", so it only changes group permissions. My tired old eyes (or a bad font) must have read it as "a".
Edits for clarification
Normally, files created by Apache are read-only for both the www-data group and all other users, same as the root-owned files in /var/www. So, there should be no reason to make anyone a member of www-data. The issue is giving everyone write access, which is a different case. This should be done by making specific directories available within your site, and this is done simply by using chmod, either with sudo, since it is probably owned by root, or by making the owner yourself and not using sudo.
If you have more devs that need access to the entire site, that is when you want to make a user+group such as "webmasters", make it the owner of the site, give write permissions to that group, and make all devs members of that group. So the listing for the site directories would be something like:
drwxrwxr-x ## webmasters webmasters #### ####-##-## ##:## mysite.com
More Edits
I've since realized that you don't really need to create a user "webmasters", just a group. Then the files can be owned by root:webmasters, ie root is the owner, but webmasters is the group.
In answer to questions below, the files that Apache writes will be owned by www-data, and group www-data. These files are not normally something you write to, so non-members of www-data may have read-only access - I think it depends on the directory permissions. If you do need more than occasional write access, then adding yourself to the group might be useful. Usually you make specific directories world writable for content saved by Apache. Consider also that most shared web hosting running Apache without shell access would not even have a way to set up groups.
But, Apache can read files even owned by root. Almost all files have world-readable access, just not writable. So, unless you want to change this, Apache doesn't need to be in the webmasters group.
This is all basic Linux setup, not really Apache. Apache only cares about access from within the web server, and that's set by the config files. For this reason, the Ubuntu documentation link I included in my post should be considered a better source than a public wiki.
By the way, the O'Reilly Apache Cookbook says "Document directories, such as htdocs, cgi-bin, and icons, will have to have permissions set in a way that makes the
most sense for the development model of your particular web site, but under no circumstances should any of these directories or files contained in them be writable by the web server user."
Finally, using ACLs is a good way to set file permissions if you need more control. It may even be a good way to set them all the time, and is something I should investigate.
Best Answer
There is nothing that stops you from installing and running applications locally, without sudo privileges. Locally, meaning: in your own home directory. That is how it is supposed to be.
You shouldn't have the same permissions on directories you are sharing with possible other users on your system.
About /usr
The explanation on what
usr
literally stands for varies from unix system resources, to user system resources. The latter however should not be interpreted as owned by users, but as serving users, opposite to serving the system. Here we read about/usr
:The bottom line is that all (modern) explanations mention that it is about "shareabble, read- only data", and: "should not be written to"