How do I give files and directories created by FTP the correct permissions for Apache to read and write them?

8

2

I'm more a Windows person, so please excuse my ignorance with this basic Linux question.

I am looking after a Linux (Debian) server which only has Apache2 and vsftp installed on it.

What is happening is that I am having a constant battle with who owns files and folders and can't seem to get it right.

This is my understanding so far:

  • www-data user needs ownership of folders and files as all of the files under /var/www/html run scripts which require them to write to their folder. And of course it needs to be able to serve the pages via http.
  • My ftp user (lets call it ftpuser) also requires permission to write to the /var/www/html folder (recursive) as I need to be able to upload new files.

With this in mind I have created a group called ftpandwww and have chowned all the folders and files to this group. This has worked to a degree...

I'm nearly in the right place, except for the fact that any new folders created using my FTP client have the wrong permissions (which I can correct by changing them under FTP client), but then www-data can't write to them because they are owned by ftpuser and I end up having to SSH in and running a chown to ftpandwww group so that they are both happy.

How do I make all the new folders that I create under FTP have the correct permissions (774) and be automatically owned by ftpandwww group to that I can upload and serve via web (with write permissions) without having to go in and chown all the new folders and files each time?

omega1

Posted 2015-07-15T16:28:30.347

Reputation: 305

– ztk – 2015-07-15T16:40:44.157

Answers

10

Use SetGID permissions on the web root directory, and propagate them to the children.

When you apply SetGID on a directory, all new items in that directory will be created with the same group their parent has, regardless of the user's default group membership.

To apply SetGID to a filesystem object, use chmod with a 2 in front of the permission code.
(eg: 740 => 2740).

I use SetGID on many of my Samba shares, so that files always have the ownergroup Users and any member of the group can read the files (I usually use 2750 so that only the owner user can write to the file).

In your case, run something like this (replace XXX with your desired permissions):

sudo chown -R  root:ftpandwww /var/www
sudo chmod -R 2XXX /var/www

Then new files and folders will come out with ownership like ftpuser:ftpandwww.

Edit:

Depending on your usecase, SetGID is likely enough to solve your issue, but if you have continuing issues where one or the other user is denied write, due to an incorrect group permission (but ownership is right), then your best bet is to set a custom UMASK for the user that creates the files.

If you have difficulty setting the UMASK for the user (because it is a daemon), check this thread on options for setting a daemon-user's UMASK.

I would recommend the mask 007 if you want group members to be able to write and delete files, and no privileges to non-owners.

Frank Thomas

Posted 2015-07-15T16:28:30.347

Reputation: 29 039

Thanks, I will try this, when you mention that all files and folders will have this ownership ftpuser:ftpandwww will www-data still serve them and have permissions (via script) to write back to the folders also? Thanks again. – omega1 – 2015-07-15T16:42:38.477

The actual owner-user will proibably be the user running the process, unless it uses local authentication (but thats entirely dependent on the application). Either way, the answer to your question depends on the XXX you choose to use. since both wwwdata and ftpdata are in the same group, if you give 770, then yes, both accounts will be able to write to the objects. if you gave it 740 however, only the owner user would be able to write, but any member of ftpandwww would be able to read. The point is that you are using group perms rather than user perms for these operations. – Frank Thomas – 2015-07-15T16:46:33.627

Asked: 2015-07-15T16:28:30.347

Viewed: 2 949 times

Active: 2018-06-25T02:44:30.127