What's the best way of handling permissions for Apache 2's user www-data in /var/www?

Has any person obtained a wonderful remedy for taking care of documents in /var/www? We are running Name Based Virtual Hosts and also the Apache 2 customer is www - information .

We've obtained 2 normal customers & origin. So when tinkering documents in /var/www, as opposed to needing to ...

chown -R www-data:www-data

... regularly, what is an excellent way of managing this?

Auxiliary inquiry: How hardcore do you after that take place approvals?

This set has actually constantly been a trouble in joint growth settings.

230
2019-05-19 07:51:56
Source Share
Answers: 3

Attempting to expand on @Zoredache is answer, as I offer this a go myself:

  • Create a new team (www - club) and also add the customers to that team

    groupadd www-pub

    usermod -a -G www-pub usera ## have to make use of - a to add to existing teams

    usermod -a -G www-pub userb

    groups usera ## display teams for customer

  • Change the possession of every little thing under/ var/www to origin: www - club

    chown -R root:www-pub /var/www ## - R for recursive

  • Change the approvals of all the folders to 2775

    chmod 2775 /var/www ## 2 = set team id, 7 = rwx for proprietor (origin), 7 = rwx for team (www - club), 5 = rx for globe (consisting of apache www - information customer)

    Set team ID (SETGID) little bit (2) creates the team (www - club) to be replicated to all new files/folders developed because folder. Various other alternatives are SETUID (4) to replicate the customer id, and also STICKY (1) which I assume allows just the proprietor delete documents.

    There is a -R recursive alternative, yet that will not differentiate in between documents and also folders, so you need to use find, thus:

    find /var/www -type d -exec chmod 2775 {} +

  • Change all the documents to 0664

    find /var/www -type f -exec chmod 0664 {} +

  • Change the umask for your customers to 0002

    The umask regulates the default documents production approvals, 0002 methods documents will certainly have 664 and also directory sites 775. Establishing this (by editing and enhancing the umask line at the end of /etc/profile in my instance) suggests documents developed by one customer will certainly be writable by various other customers in the www - team without requiring to chmod them.

Examine all this by developing a documents and also directory site and also validating the proprietor, team and also approvals with ls -l.

Keep in mind: You'll require to logout/in for adjustments to your teams to work!

220
2022-06-10 18:51:10
Source

I am not totally certain just how you intend to set up the approvals, yet this might offer you a beginning factor. There possibly are much better means. I am thinking you desire both customers to be able to transform anything under/ var/www/

  • Create a new team (www - club) and also add the customers to that team.
  • Adjustment the possession of every little thing under/ var/www to origin: www - club.
  • Adjustment the approvals of all the folders to 2775
  • Change all the documents to 0664.
  • Adjustment the umask for your customers to 0002

This suggests any kind of new documents developed by either of your customers need to be username: www - club 0664 and also any kind of directory site that obtains developed will certainly be username: www - club 2775. Apache will certainly get read accessibility to every little thing using the 'various other customers' part. The SETGID little bit on the directory sites will certainly compel all documents being developed to be possessed by the team that possesses the folder. Readjusting the umask is required to see to it that write little bit is set to make sure that any person in the team will certainly have the ability to modify the documents.

When it comes to just how hardcore I take place approvals. It entirely relies on the site/server. If there is just 1 - 2 editors and also I simply require to maintain them from damaging points also severely after that I will certainly calm down. If business called for something extra intricate after that I would certainly set up something extra intricate.

63
2019-05-23 00:28:21
Source

I assume you might locate POSIX ACL (accessibility control checklists) to be handy. They permit a better - grained approval version contrasted to the customer: team: various other version. I have actually located them to be less complicated to maintain right in my head given that I can be extra specific and also can additionally set the "default" actions for a branch of the documents system.

As an example, you can define each customer is approvals clearly:

setfacl -Rm d:u:userA:rwX,u:userA:rwX /var/www
setfacl -Rm d:u:userB:rwX,u:userB:rwX /var/www

Or you can do it based upon some common team:

setfacl -Rm d:g:groupA:rwX,u:groupA:rwX /var/www

And probably you intend to maintain your Apache customer as read - just

setfacl -Rm d:u:www-data:rX,u:www-data:rX /var/www

Man web pages:

Tutorial

39
2019-05-20 22:54:14
Source