34

I am creating a website and part of the function is to write out user generated data with php. I'm using nginx on Ubuntu 13.04. A the moment I'm only testing and everything is served through nginx on locahost.

My php script fails to write the text file (although I can do this manually) and I think it's a permissions problem for writing to my /var/www/example.com/public_html directory.

At the moment I (iain) own this directory but it seems it would make more sense to transfer ownership of the /var/www directory and everything inside that to the www-data user (or should that be group?) and add myself to the www-data group. Is the following the right way to do this?

useradd -G www-data iain
chown -R www-data:www-data /var/www/example.com
chmod 775 /var/www

So does this mean anyone in the www-data group can now read, write and exec in /var/www?

Improve this question
0

1 Answer 1

Reset to default
68

First, useradd creates a new user. As you (iain) already exist, you want to call usermod instead. So that would be:

sudo usermod -aG www-data iain
addgroup www-data

(note the -a on Debian-based servers (Ubuntu included) that will add you to that group, and keep your membership to other groups. Forget it and you will belong to the www-data group only - could be a bad experience if one of them was wheel. On SUSE-type servers the option is -A instead of -aG so read man usermod carefully to get it right.)

Second, you don't want apache to have full rw access to /var/www: this is potentially a major security breach. As a general rule, allow only what you need, and nothing more (principle of least privilege). In this case, you need apache (www-data) and you (www-data group) to write (and read) in /var/www/example.com/public_html, so

sudo chown -R www-data:www-data /var/www/example.com/public_html
sudo chmod -R 770 /var/www/example.com/public_html

Edit: to answer your original question, yes, any member of www-data can now read and execute /var/www (because the last bit of your permissions is 5 = read + exec). But because you haven't used the -R switch, that applies only to /var/www, and not to the files and sub-directories it contains. Now, whether they can write is another matter, and depends on the group of /var/www, which you haven't set. I guess it is typically root:root, so no, they (probably) can't write.

Edit on 2014-06-22: added a note that -aG option is valid on Debian-based servers. It apparently varies with the distribution, so read man carefully before executing.

Improve this answer
4
  • Ok, I see. Group of /var/www is indeed root:root. Thanks for the link. Does seem more sensible to be in the habit of granting what's required rather than going for convenience. Thanks for the guidance.
    – duff
    Commented Sep 16, 2013 at 17:33
  • 2
    Ok, so I've just tried to write to /var/www/example.com/public_html with cp -r php /var/www/example.com/public_html and I get permission denied. I'm in the www-data group which has rwxrwx--- permissions for this dir. Why is this?
    – duff
    Commented Sep 16, 2013 at 17:59
  • 1
    There could be many things here. For example you could not have permission to read some things in php, or you didn't log out and in after usermod (I updated my answer on that point with addgroup to avoid this, and precised where to use sudo).
    – Calimo
    Commented Sep 17, 2013 at 8:20
  • From all the answers regarding www-data:www-data, this one solved the issue with missing permissions. Thank you.
    – Eugene
    Commented Oct 27, 2015 at 11:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .