I have a pretty standard server set up running Apache and PHP. An app I am running creates files and these are owned by the Apache user www-data
. Files that I upload via SFTP are owned by my own user charlesr
. All files are part of the www-data
group. My problem is that I cannot modify or overwrite any of the files via SFTP which are owned by www-data
, even though charlesr
is part of the www-data
group. I can modify the files no problem via a SSH session.
So I'm not sure what to do. How do I give my SFTP session permissions to modify www-data
owned files?
For a bit of background, these are the notes I wrote for myself when setting-up the server:
Now set up permissions on `/var/www` where your files are served from by
default:
$ sudo adduser $USER www-data
$ sudo chgrp -R www-data /var/www
$ sudo chmod -R g+rw /var/www
$ sudo chmod -R g+s /var/www
Now log out and log in again to make the changes take hold.
The previous set of commands does the following:
1. adds the current user ($USER) to the `www-data` group;
2. changes `/var/www` to belong to the `www-data` group;
3. adds read/write permissions to the group that `/var/www` belongs to;
4. sets the SGID bit on `/var/www`; this final point bears some explaining.
And then I go on to explain to myself what setting the SGID bit means (i.e. all files created in /var/www
become part of the www-data
group automatically).
UPDATE
It seems that the problem was caused by the app itself or, more
specifically, the application framework (Kohana) setting certain files
it writes to 0644 (rw-r--r--); i.e. not group writable. This, coupled
with the fact that the files are also owned by www-data
meant that I
could not edit the files via SFTP when logged-in as charlesr
. I'm not
sure why I could edit the files via SSH. My guess is that I
must have used sudo.
Here is the permissions strategy I now use thanks to the tireless help of
Marty Fried, who pointed out the flaws in my previous strategy and also
helped me marinade in the world of Linux permissions until I finally
grokked it. Thanks Marty!
Overview
- Files and directories in
/var/www
should be owned byroot:webmasters
- All devs should be members of the
webmasters
group - All directories in
/var/www
should be set to:
2775
oru=rwx,g=rwxs,o=rx
(rwxrwx-r-x) - All files in
/var/www
should be set to:
0664
orug=rw,o=r
(rw-rw-r--)
The following should be owned by www-data:webmasters
(i.e. these are the directories that Apache needs to be able to write to):
- application/cache
- application/logs
- upload
- client_helpers/upload
HOWTO
To set up permissions on /var/www
where your files are served from by default:
sudo addgroup webmasters
sudo adduser $USER webmasters
sudo chown -R root:webmasters /var/www
sudo find /var/www -type f -exec chmod 664 {} ;
sudo find /var/www -type d -exec chmod 775 {} ;
sudo find /var/www -type d -exec chmod g+s {} ;
sudo chown -R www-data:webmasters application/cache/
[etc...]
Now log out and log in again to make the changes take hold.
The previous set of commands does the following:
- Create a new group called
webmasters
; all users who need write access to the app files will be added to this group. - adds the current user (
$USER
) to thewebmasters
group. - changes the owner of
/var/www
toroot
and the group towebmasters
group. - adds 664 permissions (-rw-rw-r--) to all files in
/var/www
. - adds 775 permissions (drwxrwxr-x) to all directories in
/var/www
. - sets the SGID bit on
/var/www
and all directories therein; this final point bears some explaining. Note also that you can also put a 2 at the front of your chmod octal (e.g. 2644) to do the same thing. - sets the owner to
www-data
(Apache's user) and group of the supplied directory towebmaster
. This ensures the directory is writable by Apache and anyone in thewebmasters
group. Do the same for all other directories that need to be writable.