Question 91451 in Apache Question posted in
Some documentation to get you started can be found here.

Save Apache files under /var/www as www-data with inherited permissions

I know this question has been asked and answered in various ways, but my searching has not produced an answer that seems to work for me, so I will ask specifically to my needs:

Running: Ubuntu 18.04, Apache2

I am trying to make it so that I SFTP in as my sudo user (Assume johndoe for user name) and create files and folders anywhere under /var/www, the following happens:

  1. All files & folders I create AUTOMATICALLY have 775 permissions
  2. All files are owned AUTOMATICALLY by www-data (and naturally in www-data group)
  3. Anything I create under the /var/www directory inherits this behavior.

If someone can give me a step by step (rather than "just do this", that would be awesome, and I believe this would be a great answer for others.

If you have an argument for different permissions, please let me know. What matters is that the web server can read and write files, and my SFTP user can as well. What matters is that the permissions are correct when I create a new file uploaded by my SFTP user.

Thanks.

Tags:

2

Answers


  1. 0

    For security you shouldn’t make apache the owner of any files in the /var/www folder. You should create a seperate new user (with no shell) for each web app you store in the www-data folder and assign that new user as owner for all files and folders associated with that particular web app. In this way if Apache is compromised all your web apps and associated files are not compromised simultaneously.

    Assign www-data as the group for files and sub-folders in /var/www , so that Apache can read and serve your web apps.

    Give www-data read and execute permissions permissions for folders, only give www-data read permissions for files. In this way if Apache is compromised none of your files can not be modified by Apache.

    //web app 1, set owner and group, do not set www-data as owner !
sudo chown -R web-app-1:www-data /var/www/app1

//web app 1, set appropriate permissions for all sub-folders as detailed previously 
sudo find /var/www/app1  -type d -exec chmod 750 {} ;

//web app 1, set appropriate permissions for all files in sub-folders as detailed previously 
sudo find /var/www/html/app1  -type f -exec chmod 640 {} ;
    Login or Signup to reply.
  2. 0

    What you are looking to do is possible, just that you will not make the edits directly to the folder, but to a mounted one in your /home/johndoe/websites folder which is actually the mounted /var/www/html folder. The owner of the edits/new files/etc will always be www-data user of www-data group.

    I have forgot how to do this, wanted to do it on a new server and could not find an answer on google. Searched for hours, ultimately I logged in on the server where I had this working and managed to find out how I was doing it

    So, follow this guide:
    https://sammaye.wordpress.com/2018/08/09/use-bindfs-for-serving-ssh-users-with-web-server-access/

    You might need to install bindfs, or fuse

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search