I want to stop having to use sudo everytime I work in /var/www. How can I do that? I simply want to put all of my sites into this directory and work with them without too much pain.
Most answers here are not written with security in mind. It's good to get a feeling that running sudo each time is not very wise. If you make a typo (for example a single space in a wrong place, such as recursively deleting / var/www/dir, which means / and var/www/dir, instead of /var/www/dir—please do not attempt), you might trash your system.
Note: Starting with Apache 2.4.7 / Ubuntu 14.04, /var/www has been moved to /var/www/html Adjust the commands in this answer accordingly.
See:
Where to place my local website starting with the 2.4.7 version of apache2?
Why has the apache2 www dir been moved to /var/www/html?
Changing the default document root for HTTP server
Bad ideas:
chmod 777 (sagarchalise) - this allows anyone with access to your system write into the directories and files and thereby allowing the intruder to execute any code under the www-data userchgrp -R www-data $HOME (cob) - this allows www-data to read or write any files in the home directory. This is not keeping the Least Privilege rule in mindchown -R $USER:$USER /var/www (kv1dr) - unless the world has read permissions on /var/www, the webserver running under www-data will not be able to read (serve) the files. If the file is a public-accessible plain HTML document, it might not be an issue if the world can read the file. But if the file is a PHP file containing passwords, it is.NOTE: in the below solutions, I've granted www-data write privileges. However, /usr/share/doc/base-passwd/users-and-groups.txt.gz states:
www-data
Some web servers run as www-data. Web content should not be owned by this
user, or a compromised web server would be able to rewrite a web site. Data
written out by web servers will be owned by www-data.
Where possible, do not grant write permissions to the www-data group. www-data only needs to be able to read the files so the webserver can serve it. The only case where www-data needs write permissions is for directories storing uploads and other locations which needs to be written.
Add yourself to the www-data group and set the setgid bit on the /var/www directory such that all newly created files inherit this group as well.
sudo gpasswd -a "$USER" www-data
Correct previously created files (assuming you to be the only user of /var/www):
sudo chown -R "$USER":www-data /var/www
find /var/www -type f -exec chmod 0660 {} ;
sudo find /var/www -type d -exec chmod 2770 {} ;
(even safer: use 640 or 2750 and manually chmod g+w file-or-dir that needs to be writable by the webserver)
Create a symlink for each project to your home directory. Say your project is located at ~/projects/foo and you want to have it located at /var/www/foo, run:
sudo ln -sT ~/projects/foo /var/www/foo
If your home directory has no execute bit (descend) set for other (for security reasons), change the group of it to www-data, but set the execute bit only (no read/write). Do the same for the ~/projects folder as it may contain other projects than www. (You don't need sudo if you have previously added your user to the www-data group.)
sudo chgrp www-data ~ ~/projects
chmod 710 ~ ~/projects
Set the group to www-data on ~/projects/foo and allow the webserver to read and write to files and files+directories and descend into directories:
sudo chgrp www-data ~/projects/foo
find ~/projects/foo -type f -exec chmod 660 {} ;
find ~/projects/foo -type d -exec chmod 2770 {} ;
Even safer: use 640 and 2750 by default and manually chmod files and directories that need to be writable by the webserver user. The setgid bit should be added only if you want every newly created file in ~/projects/foo to be accessible by the group.
From now on, you can access your site at http://localhost/foo and edit your project files in ~/projects/foo.
