Default file permissions for php user www-data
I have a php installed on my ubuntu machine. The web root is /var/www
I set the permissions for this folder like so:
sudo chown -R ftpuser:www-data /var/www
ftpuser is the user I set up so I can ftp to /var/www from another machine on the network. www-data is the user php uses. I double checked using whoami
from php.
Whenever I ftp upload a new file to the machine the group has no permissions to the file. So when I try to access it in my browser via machine-name/new-file.php
I am told permission denied and I have to go and chmod
the new file.
I am wondering if there is a way I can default the www-data user/group to have access permissions to new files so I don't have to keep chmod every new file?
You could use ACL. To set up ACL for Ubuntu 10.10, first mount the file systems with the acl option in /etc/fstab.
sudo vim /etc/fstab
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 defaults,acl 0 1
sudo mount -o remount,acl /
Then make a group to which a user may belong for this purpose.
sudo groupadd developers
sudo usermod -a -G developers $username
The user needs to log out and in again to become a member of the developers group.
Of course, do not do this if you have content in the /var/www directory that you want, but just to illustrate setting it up to start:
sudo rm -rf /var/www
sudo mkdir -p /var/www/public
sudo chown -R root.developers /var/www/public
sudo chmod 0775 /var/www/public
sudo chmod g+s /var/www/public
sudo setfacl -d -m u::rwx,g::rwx,o::r-x /var/www/public
Then replace references to "/var/www" with "/var/www/public" in a config file and reload.
sudo vim /etc/apache2/sites-enabled/000-default
sudo /etc/init.d/apache2 reload
If we wanted to restrict delete and rename from all but the user who created the file:
sudo chmod +t /var/www/public
This way, if we want to create directories for frameworks that exist outside the Apache document root or maybe create server-writable directories, it's still easy.
Apache-writable logs directory:
sudo mkdir /var/www/logs
sudo chgrp www-data /var/www/logs
sudo chmod 0770 /var/www/logs
Apache-readable library directory:
sudo mkdir /var/www/lib
sudo chgrp www-data /var/www/lib
sudo chmod 0750 /var/www/lib
I'm sure you have sorted this out already, so this is for anybody with similar request
run the "change ownership" command on your webroot folder:
sudo chown manny -R www
This will make you the owner replace "manny" with your username, enabling you to write/read within www folder
If your webserver cannot even read the files, it's very likely that the permissions of new-file.php
are something like 600 (read and write for owner). Search for an umask setting in your FTP application, and make sure it's something like 007.
If your web application needs to chmod the files (or other operations which can only be done by the file owner), you need an other approach. If you're using Apache, you should consider using the itk MPM. With that module, you can make Apache run/open the files using the same user as "ftpuser". If you need more information about this subject, add a comment.