/var/www owner for apache2 and ftp access
I'd recommend setting it to be owned by james:james
.
Alternatively, you could leave it as root:root
and requite sudo
for anybody deploying files in there, but if you are directly working in the /var/www directory (rather than working somewhere else and pushing the files there) that may not be convenient, and it won't work with FTP either.
You can set the owner of /var/www to whatever you like, as long as the www-data
user has read access. You can achieve this by setting permissions to allow world read access (as is default).
By default, it is owned by root:root
(not www-data
as you state in the question).
For security, it is not a good idea to set it to be owned by
www-data
.www-data
is intended to be an unprivileged account which cannot write to any files, and can only read them.Yes, occasionally you may need to give
www-data
the permission to write to a given file, but for security this should be strictly limited to those particular files, and precautions should be taken such as making sure no such files are executable as scripts by the web server (ie they are not in a location where they may be interpreted as PHP or CGI files), etc.For security, it is an even worse idea to set the file permissions to world-writable (eg, 777). Unprivileged users such as
www-data
should not be able to write to files in this directory. The only people who need write access will be the people who are actually writing files in there.The /var/www directory is intended to be yours to do with what you like. It makes sense to set ownership to whichever account will be editing the files. You can create a group for this purpose if you have multiple people, but in this case it's just you.
Note: if creating a group, create a new group. Do not re-use the
www-data
group as that is intended to be an unprivileged group without write access to any files (as I explain above).
Too often I see people recommending adopting very bad security practices such as setting /var/www to be owned by www-data
, or adding people to the www-data
group in order to give that group editing privileges, or setting /var/www to be world-writable (eg 777). By doing any of this you are potentially opening yourself up to significant security problems.
Related videos on Youtube
Erresen
Updated on September 18, 2022Comments
-
Erresen over 1 year
I've got apache2 running on Ubuntu Server 12.04 LTS on an old laptop. It's on my local network to act as a webserver to help me learn PHP (and linux).
The default owner for the /var/www folder (where the webpages for apache are stored) is www-data. With the owner set to www-data I can't copy files/folders to that folder over ftp. If I change the owner of the /var/www folder to james (my ftp user) then I can move files over ftp but apache doesn't have access to display any pages or sub folders.
What should the correct owner be to allow access for ftp user james and apache?
-
Dan almost 11 yearsIs James in the www-data group?
-
Erresen almost 11 yearsno i don't believe so. is www-data a group not a user? sorry bit of a linux noob
-
Erresen almost 11 yearsjames is now in the www-data group. i still can't write to that folder over ftp as james
-
thomasrutter over 9 yearsThe default owner is not www-data, it's root.
-
thomasrutter over 9 yearsDon't put normal users in the www-data group. www-data is intended to be an unprivileged user and group with no write access, used exclusively by the web server itself only. You should create your own groups instead and use those if you wish to add people to a group and control write access by group.
-
Eliah Kagan over 9 yearspossible duplicate of this or that. Their answers at best don't emphasize security, and at worst recommend seriously insecure practices that don't even yield much convenience--sometimes claiming they are especially secure! In saying this is a dupe, I don't suggest having the
www-data
user own web docs, or giving write access to users through thewww-data
group, are good or even acceptable recommendations. Rather, I see no benefit in fragmenting information even more. New good answers can go on the existing questions.
-
-
Eliah Kagan over 9 yearsIt sounds like you're saying it's harmful for human user accounts to be members of the
www-data
group, as though that alone would increase the power of a separate unprivileged user (such as thewww-data
user) in thewww-data
group. That is not the case. Group membership is a way users gain abilities, but a user's abilities do not rub off on a group of which it is a member, nor on other members of the same group. I hope you mean that the practice of making thewww-data
group confer write access (and adding users to it for that purpose) is harmful--which is true. Maybe edit to clarify? -
thomasrutter over 9 yearsThere is no reason to add human user accounts to the www-data group unless you are then going to give the www-data group some privileges it wouldn't normally have, and it's this giving of privileges to the www-data group that is harmful to security. If you only add users to the www-data group but change no file permissions or ownerships anywhere, it'll do nothing. Adding users to the www-data group is always an indication that somebody is probably doing something bad for security, because there is no legitimate reason to do it.
-
thomasrutter over 9 yearsI've made a subtle edit.
-
Cbhihe over 8 years+1 Old post but highly educating answer and exchange. Something bugs me though. In my case /var/www is controlled by
root:www-data
withdrwxr-sr-x
privileges. So I "sudo-write" everything as the need arises. A year ago I added myself to the www-data group as a hack precisely in anticipation of what @EliahKagan suggests on world-read access... But how do you arrange for a select group of users controlling the contents of /var/www withrwx
privileges ? I am willing to appoint myself the owner of /var/www instead of root, but it does not solve my pbm. Will you complete yr answer on that ?