Default file permissions for php user www-data

I have a php installed on my ubuntu machine. The web root is /var/www

I set the permissions for this folder like so:

sudo chown -R ftpuser:www-data /var/www

ftpuser is the user I set up so I can ftp to /var/www from another machine on the network. www-data is the user php uses. I double checked using whoami from php.

Whenever I ftp upload a new file to the machine the group has no permissions to the file. So when I try to access it in my browser via machine-name/new-file.php I am told permission denied and I have to go and chmod the new file.

I am wondering if there is a way I can default the www-data user/group to have access permissions to new files so I don't have to keep chmod every new file?


You could use ACL. To set up ACL for Ubuntu 10.10, first mount the file systems with the acl option in /etc/fstab.

sudo vim /etc/fstab

UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 defaults,acl 0 1

sudo mount -o remount,acl /

Then make a group to which a user may belong for this purpose.

sudo groupadd developers
sudo usermod -a -G developers $username

The user needs to log out and in again to become a member of the developers group.

Of course, do not do this if you have content in the /var/www directory that you want, but just to illustrate setting it up to start:

sudo rm -rf /var/www
sudo mkdir -p /var/www/public
sudo chown -R root.developers /var/www/public
sudo chmod 0775 /var/www/public
sudo chmod g+s /var/www/public
sudo setfacl -d -m u::rwx,g::rwx,o::r-x /var/www/public

Then replace references to "/var/www" with "/var/www/public" in a config file and reload.

sudo vim /etc/apache2/sites-enabled/000-default
sudo /etc/init.d/apache2 reload

If we wanted to restrict delete and rename from all but the user who created the file:

sudo chmod +t /var/www/public

This way, if we want to create directories for frameworks that exist outside the Apache document root or maybe create server-writable directories, it's still easy.

Apache-writable logs directory:

sudo mkdir /var/www/logs
sudo chgrp www-data /var/www/logs
sudo chmod 0770 /var/www/logs

Apache-readable library directory:

sudo mkdir /var/www/lib
sudo chgrp www-data /var/www/lib
sudo chmod 0750 /var/www/lib

I'm sure you have sorted this out already, so this is for anybody with similar request

run the "change ownership" command on your webroot folder:

sudo chown manny -R www

This will make you the owner replace "manny" with your username, enabling you to write/read within www folder


If your webserver cannot even read the files, it's very likely that the permissions of new-file.php are something like 600 (read and write for owner). Search for an umask setting in your FTP application, and make sure it's something like 007.

If your web application needs to chmod the files (or other operations which can only be done by the file owner), you need an other approach. If you're using Apache, you should consider using the itk MPM. With that module, you can make Apache run/open the files using the same user as "ftpuser". If you need more information about this subject, add a comment.