July 6, 2021 . 3 MIN READ
http://fideloper.com/user-group-permissions-chmod-apache
user-group-permissions-chmod-apache
I’ve been scouring the internet for good information on setting up user and group permissions for Apache. I’ll link some resources on the bottom here, but here’s what I found:
There are three sets of permissions to worry about with any directory/file:
Correspondingly, users have a username (unique to each user). Users can also be part of a group – In fact, multiple users can be part of the same group.
Note: The chmod command can accept numeric integers, such as 0664, which relate to user permissions. See this to help create these, if you wish
I will cover using chmod. Chmod is used to modify the permissions of a directory or file.
chmod -flags permissions /path/to/dir/or/file
-R
chmod -R … will recursively go through the directory provided and change all file/directory permissions as specified.
You can define for whom the permissions you are setting apply with these:
You can add or remove permissions using these:
You can set these permissions:
We need to set the owner/group of the web root (and any directories/files therein):
$ sudo chown -R www-data:www-data /var/www
We need to setup the proper permissions for users and groups. We do some blanket commands restricting access, and then open access up as much as we need to.
To start, make it so no-one but the current user (www-data) can access the web-root content. We use ‘go’, meaning apply to ‘group’ and ‘other’. We use ‘-‘, which means remove permissions. We use ‘rwx’ to remove read, write and execute permissions.
$ chmod go-rwx /var/www
Next, allow users of the same group (and ‘other’) to enter the /var/www directory. This is not done recursively. Once again, we use ‘group’ and ‘other’ but we use ‘+’ to allow the execute (‘x’) permission.
$ chmod go+x /var/www
Next, change all directories and files in the web root to the same group (www-data) – just in case there are files in there currently:
$ chgrp -R www-data /var/www
Next, let’s do another “reset” of sorts – Make it so only the user can access web content:
$ chmod -R go-rwx /var/www
And finally, make it so anyone in the same group can ready/write and execute directories/files in the web root.
$ chmod -R g+rx /var/www
I actually give group write permissions as well, for users which need to modify content, such as users used to deploy code. That looks like this:
$ chmod -R g+rwx /var/www
Often going through all of these steps isn’t necessary, but this is a useful exercise to see how these commands work!
To best share with multiple users who should be able to write in /var/www, it should be assigned a common group. For example the default group for web content on Ubuntu and Debian is www-data. Make sure all the users who need write access to /var/www are in this group.
sudo usermod -a -G www-data <some_user>
Then set the correct permissions on /var/www.
sudo chgrp -R www-data /var/www
sudo chmod -R g+w /var/www
Additionally, you should make the directory and all directories below it “set GID”, so that all new files and directories created under /var/www are owned by the www-data group.
sudo find /var/www -type d -exec chmod 2775 {} \;
Find all files in /var/www and add read and write permission for owner and group:
sudo find /var/www -type f -exec chmod ug+rw {} \;
You might have to log out and log back in to be able to make changes if you’re editing permission for your own account.
there’s a simple way..! try this
sudo chmod 757 -R /var/www
