/var/www owner for apache2 and ftp access

server permissions apache2 ftp ownership

9,094

I'd recommend setting it to be owned by james:james.

Alternatively, you could leave it as root:root and requite sudo for anybody deploying files in there, but if you are directly working in the /var/www directory (rather than working somewhere else and pushing the files there) that may not be convenient, and it won't work with FTP either.

You can set the owner of /var/www to whatever you like, as long as the www-data user has read access. You can achieve this by setting permissions to allow world read access (as is default).

By default, it is owned by root:root (not www-data as you state in the question).

For security, it is not a good idea to set it to be owned by www-data. www-data is intended to be an unprivileged account which cannot write to any files, and can only read them.

Yes, occasionally you may need to give www-data the permission to write to a given file, but for security this should be strictly limited to those particular files, and precautions should be taken such as making sure no such files are executable as scripts by the web server (ie they are not in a location where they may be interpreted as PHP or CGI files), etc.
For security, it is an even worse idea to set the file permissions to world-writable (eg, 777). Unprivileged users such as www-data should not be able to write to files in this directory. The only people who need write access will be the people who are actually writing files in there.
The /var/www directory is intended to be yours to do with what you like. It makes sense to set ownership to whichever account will be editing the files. You can create a group for this purpose if you have multiple people, but in this case it's just you.

Note: if creating a group, create a new group. Do not re-use the www-data group as that is intended to be an unprivileged group without write access to any files (as I explain above).

Too often I see people recommending adopting very bad security practices such as setting /var/www to be owned by `www-data`, or adding people to the `www-data` group in order to give that group editing privileges, or setting /var/www to be world-writable (eg 777). By doing any of this you are potentially opening yourself up to significant security problems.

9,094

Erresen

Updated on September 18, 2022

Comments

Erresen over 1 year

I've got apache2 running on Ubuntu Server 12.04 LTS on an old laptop. It's on my local network to act as a webserver to help me learn PHP (and linux).

The default owner for the /var/www folder (where the webpages for apache are stored) is www-data. With the owner set to www-data I can't copy files/folders to that folder over ftp. If I change the owner of the /var/www folder to james (my ftp user) then I can move files over ftp but apache doesn't have access to display any pages or sub folders.

What should the correct owner be to allow access for ftp user james and apache?
- Dan almost 11 years
  
  Is James in the www-data group?
- Erresen almost 11 years
  
  no i don't believe so. is www-data a group not a user? sorry bit of a linux noob
- Erresen almost 11 years
  
  james is now in the www-data group. i still can't write to that folder over ftp as james
- thomasrutter over 9 years
  
  The default owner is not www-data, it's root.
- thomasrutter over 9 years
  
  Don't put normal users in the www-data group. www-data is intended to be an unprivileged user and group with no write access, used exclusively by the web server itself only. You should create your own groups instead and use those if you wish to add people to a group and control write access by group.
- Eliah Kagan over 9 years
  
  possible duplicate of this or that. Their answers at best don't emphasize security, and at worst recommend seriously insecure practices that don't even yield much convenience--sometimes claiming they are especially secure! In saying this is a dupe, I don't suggest having the www-data user own web docs, or giving write access to users through the www-data group, are good or even acceptable recommendations. Rather, I see no benefit in fragmenting information even more. New good answers can go on the existing questions.
Eliah Kagan over 9 years

It sounds like you're saying it's harmful for human user accounts to be members of the www-data group, as though that alone would increase the power of a separate unprivileged user (such as the www-data user) in the www-data group. That is not the case. Group membership is a way users gain abilities, but a user's abilities do not rub off on a group of which it is a member, nor on other members of the same group. I hope you mean that the practice of making the www-data group confer write access (and adding users to it for that purpose) is harmful--which is true. Maybe edit to clarify?
thomasrutter over 9 years

There is no reason to add human user accounts to the www-data group unless you are then going to give the www-data group some privileges it wouldn't normally have, and it's this giving of privileges to the www-data group that is harmful to security. If you only add users to the www-data group but change no file permissions or ownerships anywhere, it'll do nothing. Adding users to the www-data group is always an indication that somebody is probably doing something bad for security, because there is no legitimate reason to do it.
thomasrutter over 9 years

I've made a subtle edit.
Cbhihe over 8 years

+1 Old post but highly educating answer and exchange. Something bugs me though. In my case /var/www is controlled by root:www-data with drwxr-sr-xprivileges. So I "sudo-write" everything as the need arises. A year ago I added myself to the www-data group as a hack precisely in anticipation of what @EliahKagan suggests on world-read access... But how do you arrange for a select group of users controlling the contents of /var/www with rwx privileges ? I am willing to appoint myself the owner of /var/www instead of root, but it does not solve my pbm. Will you complete yr answer on that ?