Make owner of newly create files AND folders www-data instead of superuser/admin
I've been struggling with permissions so far, and posted another question but identified what the problem was, without any way to fix it yet.
My setup:
- Ubuntu Desktop with LAMP stack
- 5 "users" I created users I've create in the ubuntu server using
sudo useradd -r -s /bin/false USERNAME
and which are used to access the local network shared folders, i.e for the computers on my network to connect to the /var/www folder, shared using Samba. - EDIT: The purpose is to create sort of a "master localhost" where all the computers in my local network can work on the same website, locally (i do NOT have a static IP address thus the server can't be accessed from elsewhere).
My problem:
Currently when I create a new folder on /var/www/html
(ex: Creating the folder /var/www/html/testsite1) using any computer of the network, this folder is automatically owned by boris:www-data
("boris" being the main admin user on my ubuntu desktop install, and it shows indeed boris:www-data when running ls -l
on the newly created folder), which is causing problems with my current setup (using Duplicator Plugin for wordpress by LifeInTheGrid mostly).
However, both my /var/www
and my /var/www/html
are owned by www-data:www-data
Hence, I would like to know how I can:
Change ownership to www-data:www-data of all files AND directories below /var/www and /var/www/html
Make sure any file or folder I will create with any of the users of my network will automatically be owned by www-data:www-data (That includes files automatically created by php scripts as it is what the Duplicator plugin does if I'm not wrong).
Is there a way to do that?
Note: I am a super newbie with things related to Linux and command lines, but I catch up fast.
Note 2: umask is already set as 0002
EDIT:
Tried this:
sudo chown -R www-data:www-data /var/www/
And then set setuid and setgid bits by doing this:
sudo chmod u+s /var/www/html
sudo chmod g+s /var/www/html
Then logged-off, restarted apache, and tried to create a new folder using a Mac connected to my server through network IP (local IP, not static).
I Ran
ls -l on /var/www/html
Output is still:
drwxr-sr-x 2 boris www-data testsite1
Note:
I already checked my apache config before and envvars, it is already set to:
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
EDIT: I tried it backwards, e.g setting up everything to be owned by boris:www-data and set my envvars apache config to boris:www-data. IT WORKED!
Here is what I did:
Changed envvars to
export APACHE_RUN_USER=boris
export APACHE_RUN_GROUP=www-data
Ran
sudo chown -R boris:www-data /var/www/
Restarted Apachem, created a new folder, add my files, ran the plugin, now says it's good !!!
Answer to Question #1: Recursive chown
A recursive chown
will let you set ownership and group to what you want for /var/www/...
. This is the command you should use:
sudo chown -R www-data:www-data /var/www/
With that, every file and folder will be set as such inside there with those ownership permissions.
Half-Answer to Question #2: setgid
bit
If you want default group ownership on files, set the setgid
bit on the /var/www/html
folder. New files should then be created with that group as stated on the folder.
sudo chmod g+s /var/www/html
You'll need to set write permissions, though, if any user OTHER than www-data
is writing to the directories, and doing so can open you to a security hole or two if you're not careful.
You end up with permissions being $USER:www-data
; to change the owner you then use a chown
as indicated in method #1 (that said, in a proper setup you should rely on group permissions, not user owner permissions, for access to the web files).
PHP Wordpress Duplicator Problem
The problem with permissions is the user/group PHP runs as needs write and read and likely +x
on the directory to edit the dir structure and such.
PHP runs as www-data
by default in Ubuntu installs which use the default configurations. Ideally, your steps above would make the issue fixed, as you're stuck with the Duplicator Plugin being a PHP plugin.
Ideally you should also check the documentation for the Duplicator Plugin to verify what permissions it needs to run and work.
To make sure any file or folder you create in /var/www/html
gets automatically owned by www-data you can use inotify
, it's like cron but monitors folders/files for changes in attribuets, file creations, modifications and much more.
First install it with:
$ sudo apt-get install incron
Allow root to use incron
by opening /etc/incron.allow
with:
$ sudo vim /etc/incron.allow
and add root
to the file, then save and exit.
Edit your incrontab with:
$ sudo incrontab -u root -e
and add the following line to it:
/var/www/html IN_CREATE /bin/chown -R www-data:www-data /var/www/html/
save and exit.
Now as soon as a file is created in the /var/www/html
direcotry it will automatically set onwership to www-data:www-data
.
Explanation of the line in incrontab:
/var/www/html
is the directory that will be monitored.
IN_CREATE
will watch for created files. It's the file change mask.
/bin/chown -R www-data:www-data /var/www/html/
is the command/action to execute.
Change ownership to www-data:www-data of all files AND directories below /var/www and /var/www/html
cd /var/www/
chown -R www-data:www-data /var/www/
-
./html
is implied here (as being part of /var/www/) -
-R
makes it recursive (so it will traverse all directories in/var/www/
).
Make sure any file or folder I will create with any of the users of my network will automatically be owned by www-data:www-data
- Inside /var/www/html/ I would assume?
Set your apache config to www-data. See /etc/apache2/envvars
# envvars - default environment variables for apache2ctl
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
You need to restart apache after editing this (sudo service apache restart
).
That includes files automatically created by php scripts as it is what the Duplicator plugin does if I'm not wrong).
The problem here probably is not the plugin but php. The user should be the same process that PHP runs under. So you probably need to set that to www-data too if that is your user and group (/etc/php5/apache2/php.ini
).