Make owner of newly create files AND folders www-data instead of superuser/admin

I've been struggling with permissions so far, and posted another question but identified what the problem was, without any way to fix it yet.

My setup:

  • Ubuntu Desktop with LAMP stack
  • 5 "users" I created users I've create in the ubuntu server using sudo useradd -r -s /bin/false USERNAME and which are used to access the local network shared folders, i.e for the computers on my network to connect to the /var/www folder, shared using Samba.
  • EDIT: The purpose is to create sort of a "master localhost" where all the computers in my local network can work on the same website, locally (i do NOT have a static IP address thus the server can't be accessed from elsewhere).

My problem:

Currently when I create a new folder on /var/www/html (ex: Creating the folder /var/www/html/testsite1) using any computer of the network, this folder is automatically owned by boris:www-data ("boris" being the main admin user on my ubuntu desktop install, and it shows indeed boris:www-data when running ls -l on the newly created folder), which is causing problems with my current setup (using Duplicator Plugin for wordpress by LifeInTheGrid mostly). However, both my /var/www and my /var/www/html are owned by www-data:www-data

Hence, I would like to know how I can:

  • Change ownership to www-data:www-data of all files AND directories below /var/www and /var/www/html

  • Make sure any file or folder I will create with any of the users of my network will automatically be owned by www-data:www-data (That includes files automatically created by php scripts as it is what the Duplicator plugin does if I'm not wrong).

Is there a way to do that?

Note: I am a super newbie with things related to Linux and command lines, but I catch up fast.

Note 2: umask is already set as 0002

EDIT:

Tried this:

sudo chown -R www-data:www-data /var/www/

And then set setuid and setgid bits by doing this:

sudo chmod u+s /var/www/html
sudo chmod g+s /var/www/html

Then logged-off, restarted apache, and tried to create a new folder using a Mac connected to my server through network IP (local IP, not static).

I Ran

ls -l on /var/www/html

Output is still:

drwxr-sr-x 2 boris   www-data  testsite1

Note:

I already checked my apache config before and envvars, it is already set to:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data

EDIT: I tried it backwards, e.g setting up everything to be owned by boris:www-data and set my envvars apache config to boris:www-data. IT WORKED!

Here is what I did:

Changed envvars to

export APACHE_RUN_USER=boris
export APACHE_RUN_GROUP=www-data

Ran

sudo chown -R boris:www-data /var/www/

Restarted Apachem, created a new folder, add my files, ran the plugin, now says it's good !!!


Answer to Question #1: Recursive chown

A recursive chown will let you set ownership and group to what you want for /var/www/.... This is the command you should use:

sudo chown -R www-data:www-data /var/www/

With that, every file and folder will be set as such inside there with those ownership permissions.


Half-Answer to Question #2: setgid bit

If you want default group ownership on files, set the setgid bit on the /var/www/html folder. New files should then be created with that group as stated on the folder.

sudo chmod g+s /var/www/html

You'll need to set write permissions, though, if any user OTHER than www-data is writing to the directories, and doing so can open you to a security hole or two if you're not careful.

You end up with permissions being $USER:www-data; to change the owner you then use a chown as indicated in method #1 (that said, in a proper setup you should rely on group permissions, not user owner permissions, for access to the web files).


PHP Wordpress Duplicator Problem

The problem with permissions is the user/group PHP runs as needs write and read and likely +x on the directory to edit the dir structure and such.

PHP runs as www-data by default in Ubuntu installs which use the default configurations. Ideally, your steps above would make the issue fixed, as you're stuck with the Duplicator Plugin being a PHP plugin.

Ideally you should also check the documentation for the Duplicator Plugin to verify what permissions it needs to run and work.


To make sure any file or folder you create in /var/www/html gets automatically owned by www-data you can use inotify, it's like cron but monitors folders/files for changes in attribuets, file creations, modifications and much more.

First install it with:

$ sudo apt-get install incron

Allow root to use incron by opening /etc/incron.allow with:

$ sudo vim /etc/incron.allow

and add root to the file, then save and exit.

Edit your incrontab with:

$ sudo incrontab -u root -e

and add the following line to it:

/var/www/html IN_CREATE /bin/chown -R www-data:www-data /var/www/html/

save and exit.

Now as soon as a file is created in the /var/www/html direcotry it will automatically set onwership to www-data:www-data.

Explanation of the line in incrontab:

/var/www/html is the directory that will be monitored.

IN_CREATE will watch for created files. It's the file change mask.

/bin/chown -R www-data:www-data /var/www/html/ is the command/action to execute.


Change ownership to www-data:www-data of all files AND directories below /var/www and /var/www/html

cd /var/www/
chown -R  www-data:www-data /var/www/
  • ./html is implied here (as being part of /var/www/)
  • -R makes it recursive (so it will traverse all directories in /var/www/).

Make sure any file or folder I will create with any of the users of my network will automatically be owned by www-data:www-data

  • Inside /var/www/html/ I would assume?

Set your apache config to www-data. See /etc/apache2/envvars

# envvars - default environment variables for apache2ctl

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data

You need to restart apache after editing this (sudo service apache restart).

That includes files automatically created by php scripts as it is what the Duplicator plugin does if I'm not wrong).

The problem here probably is not the plugin but php. The user should be the same process that PHP runs under. So you probably need to set that to www-data too if that is your user and group (/etc/php5/apache2/php.ini).