Usually, it is a bad idea to give write access to the account running the Web Server (www-data under Ubuntu).
For your scenario, I would change the owner of /var/www/html
to the ftpuser with a read-write for him, read only for the group and the others. Apache needs at least to be able to read in this directory.
UPD: If you have more than one user to give access to, put them all in the same group, change the group ownership to this group and give the group read & write access too.
Security-wise, it is a bad idea to give Apache write access to all files he can access. If someone is able to do "nasty things" with your web server, at least he won't be able to change the files using Apache directly.
Don't forget to secure the installation of the FTP server you intend to use to let ftpuser upload files.
If Mediawiki needs to write on some files, I would give to these files only the read-write rights for the www-data user (by setting the owner of these files to www-data). If you cannot predict which files need to be writable by the web application, you'd better to isolate this application into a subfolder of ´/var/www/html´.
By experience, I know that when right access is needed on some of the file, usually the documentation of the application details exactly which ones.
Answer to Question #1: Recursive chown
A recursive chown
will let you set ownership and group to what you want for /var/www/...
. This is the command you should use:
sudo chown -R www-data:www-data /var/www/
With that, every file and folder will be set as such inside there with those ownership permissions.
Half-Answer to Question #2: setgid
bit
If you want default group ownership on files, set the setgid
bit on the /var/www/html
folder. New files should then be created with that group as stated on the folder.
sudo chmod g+s /var/www/html
You'll need to set write permissions, though, if any user OTHER than www-data
is writing to the directories, and doing so can open you to a security hole or two if you're not careful.
You end up with permissions being $USER:www-data
; to change the owner you then use a chown
as indicated in method #1 (that said, in a proper setup you should rely on group permissions, not user owner permissions, for access to the web files).
PHP Wordpress Duplicator Problem
The problem with permissions is the user/group PHP runs as needs write and read and likely +x
on the directory to edit the dir structure and such.
PHP runs as www-data
by default in Ubuntu installs which use the default configurations. Ideally, your steps above would make the issue fixed, as you're stuck with the Duplicator Plugin being a PHP plugin.
Ideally you should also check the documentation for the Duplicator Plugin to verify what permissions it needs to run and work.
Best Answer
sudo adduser jknoppf www-data
andsudo chown -R www-data:www-data /var/www/html
:The first one will add the user
jknoppf
into the groupwww-data
, and the second one will change the owner of all the directories and files, including/var/www/html
, into the userwww-data
, and also change the group owner into the groupwww-data
. Since the permission for/var/www/html
is by default775
, and the userjknoppf
is in the groupwww-data
, this user can have full access to all the contents inside.sudo chown -R jknoppf:www-data /var/www/html
:This command change the owner of all the directories and files, including
/var/www/html
, into the userjknoppf
, and also change the group owner into the groupwww-data
. Since the permission for/var/www/html
is by default775
, and the userjknoppf
is the owner of the directory, this user can have full access to all the contents inside.Remarks: the permission
775
means:First
7
: the owner of the file have full access to files, i.e. read4
+ write2
+ execute1
.Second
7
: all users in the group, which the group is owner, have full access to files, i.e. read4
+ write2
+ execute1
.Third
5
: all other people that are neither the owner nor the members of the group only have access to read4
+ execute1
.