16

I've been struggling with permissions so far, and posted another question but identified what the problem was, without any way to fix it yet.

My setup:

  • Ubuntu Desktop with LAMP stack
  • 5 "users" I created users I've create in the ubuntu server using sudo useradd -r -s /bin/false USERNAME and which are used to access the local network shared folders, i.e for the computers on my network to connect to the /var/www folder, shared using Samba.
  • EDIT: The purpose is to create sort of a "master localhost" where all the computers in my local network can work on the same website, locally (i do NOT have a static IP address thus the server can't be accessed from elsewhere).

My problem:

Currently when I create a new folder on /var/www/html (ex: Creating the folder /var/www/html/testsite1) using any computer of the network, this folder is automatically owned by boris:www-data ("boris" being the main admin user on my ubuntu desktop install, and it shows indeed boris:www-data when running ls -l on the newly created folder), which is causing problems with my current setup (using Duplicator Plugin for wordpress by LifeInTheGrid mostly). However, both my /var/www and my /var/www/html are owned by www-data:www-data

Hence, I would like to know how I can:

  • Change ownership to www-data:www-data of all files AND directories below /var/www and /var/www/html

  • Make sure any file or folder I will create with any of the users of my network will automatically be owned by www-data:www-data (That includes files automatically created by php scripts as it is what the Duplicator plugin does if I'm not wrong).

Is there a way to do that?

Note: I am a super newbie with things related to Linux and command lines, but I catch up fast.

Note 2: umask is already set as 0002

EDIT:

Tried this:

sudo chown -R www-data:www-data /var/www/

And then set setuid and setgid bits by doing this:

sudo chmod u+s /var/www/html
sudo chmod g+s /var/www/html

Then logged-off, restarted apache, and tried to create a new folder using a Mac connected to my server through network IP (local IP, not static).

I Ran

ls -l on /var/www/html

Output is still:

drwxr-sr-x 2 boris   www-data  testsite1

Note:

I already checked my apache config before and envvars, it is already set to:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data

EDIT: I tried it backwards, e.g setting up everything to be owned by boris:www-data and set my envvars apache config to boris:www-data. IT WORKED!

Here is what I did:

Changed envvars to

export APACHE_RUN_USER=boris
export APACHE_RUN_GROUP=www-data

Ran

sudo chown -R boris:www-data /var/www/

Restarted Apachem, created a new folder, add my files, ran the plugin, now says it's good !!!

Boris Chevreau
  • 189
  • It is a bad idea for security to set files to be owned by the www-data user or group, though in rare cases it can be necessary for certain files the web server needs write access to. What is it you are trying to achieve? – thomasrutter Jun 02 '15 at 12:18

5 Answers5

16

Answer to Question #1: Recursive chown

A recursive chown will let you set ownership and group to what you want for /var/www/.... This is the command you should use:

sudo chown -R www-data:www-data /var/www/

With that, every file and folder will be set as such inside there with those ownership permissions.

Half-Answer to Question #2: setgid bit

If you want default group ownership on files, set the setgid bit on the /var/www/html folder. New files should then be created with that group as stated on the folder.

sudo chmod g+s /var/www/html

You'll need to set write permissions, though, if any user OTHER than www-data is writing to the directories, and doing so can open you to a security hole or two if you're not careful.

You end up with permissions being $USER:www-data; to change the owner you then use a chown as indicated in method #1 (that said, in a proper setup you should rely on group permissions, not user owner permissions, for access to the web files).

PHP Wordpress Duplicator Problem

The problem with permissions is the user/group PHP runs as needs write and read and likely +x on the directory to edit the dir structure and such.

PHP runs as www-data by default in Ubuntu installs which use the default configurations. Ideally, your steps above would make the issue fixed, as you're stuck with the Duplicator Plugin being a PHP plugin.

Ideally you should also check the documentation for the Duplicator Plugin to verify what permissions it needs to run and work.

Thomas Ward
  • 80,112
  • 1
    Me likes the setuid method :) – Rinzwind Jun 02 '15 at 12:00
  • This is exactly what I was looking for!!!! Only problem: it didn't work :-( I created a folder on my mac (i.e. NOT with the ubuntu desktop computer) by accessing my server through its local IP. When I ran ls -l, still owned by boris:www-data :-/ – Boris Chevreau Jun 02 '15 at 12:05
  • Is it because I set user ownership on files but not on folders? Is it just because the folder I create CANNOT be automatically owned by www-data:www-data? – Boris Chevreau Jun 02 '15 at 12:06
  • Mac is different than Linux, and if you are really unlucky then this method won't work and you will end up having to mess with a lot more than just simple permissions (such as ACLs and other things) in order to set up default files. Also, 'didn't work' is ambiguous. define didn't work and include outputs as edits to the question. – Thomas Ward Jun 02 '15 at 12:11
  • @BorisChevreau it may be the case that the system won't setuid the files created by another user - this could be due to, say, the issue I alluded to that your users wouldn't be able to edit files (and you own those files currently). Typically you would leave user ownership alone and give the www-data group access rights (rather than rely on changing the owner user) – Thomas Ward Jun 02 '15 at 12:12
  • @BorisChevreau question: is the web server on a Mac or an Ubuntu system? As I said before, Mac and Linux are similar but they are wildly different with default permission handling and such... – Thomas Ward Jun 02 '15 at 12:15
  • web server is on an Ubuntu system. I can pretty much do any edit you tell me to do if it can fix my problem indeed. Just let me know your suggestions I'll try them all :-) – Boris Chevreau Jun 02 '15 at 12:25
  • so I could simply run the lines you mentioned earlier but by changing www-data:www-data to simply :www-data am I correct ? – Boris Chevreau Jun 02 '15 at 12:26
  • Another note: I ran all the commands you mentioned using sudo, is there where the problem is? As I'm logged as superuser, not as root – Boris Chevreau Jun 02 '15 at 12:27
  • Any thoughts ? :'-( – Boris Chevreau Jun 02 '15 at 13:24
  • @ThomasWard Thanks for sharing this tip. But this method didn't seem to work on Ubuntu 16.04 LTS. It looks like setuid applied to directory is ignored. – Eduardo B. Nov 16 '16 at 13:18
  • 1
    setuid applied to directories is always ignored on Linux, iirc – muru Nov 16 '16 at 15:19
6

To make sure any file or folder you create in /var/www/html gets automatically owned by www-data you can use inotify, it's like cron but monitors folders/files for changes in attribuets, file creations, modifications and much more.

First install it with:

$ sudo apt-get install incron

Allow root to use incron by opening /etc/incron.allow with:

$ sudo vim /etc/incron.allow

and add root to the file, then save and exit.

Edit your incrontab with:

$ sudo incrontab -u root -e

and add the following line to it:

/var/www/html IN_CREATE /bin/chown -R www-data:www-data /var/www/html/

save and exit.

Now as soon as a file is created in the /var/www/html direcotry it will automatically set onwership to www-data:www-data.

Explanation of the line in incrontab:

/var/www/html is the directory that will be monitored.

IN_CREATE will watch for created files. It's the file change mask.

/bin/chown -R www-data:www-data /var/www/html/ is the command/action to execute.

krt
  • 2,046
  • 1
    They can achieve something like this without inotify and setgid - user ownership likely shouldn't be changing often and they can reset user ownership themselves... or use ACLs which can be a pain – Thomas Ward Jun 02 '15 at 12:13
  • The whole purpose of this server is for us to use it as a "master local host", e.g create localhost websites and be able to edit/replace/move and create test sites on the fly very easily. If I have to reset manually everything, it kills the entire purpose :-/ – Boris Chevreau Jun 02 '15 at 12:51
  • Is this "incron" way the only way? I do not understand why it has to be so complicated. What I am looking for is a simple way for all my computers in the network to create a website on this server. Ultimately as I don't have a static IP (hence security isn't an issue), is there another turnaround you would have in mind ? – Boris Chevreau Jun 02 '15 at 12:52
3

Change ownership to www-data:www-data of all files AND directories below /var/www and /var/www/html

cd /var/www/
chown -R  www-data:www-data /var/www/
  • ./html is implied here (as being part of /var/www/)
  • -R makes it recursive (so it will traverse all directories in /var/www/).

Make sure any file or folder I will create with any of the users of my network will automatically be owned by www-data:www-data

  • Inside /var/www/html/ I would assume?

Set your apache config to www-data. See /etc/apache2/envvars

# envvars - default environment variables for apache2ctl

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data

You need to restart apache after editing this (sudo service apache restart).

That includes files automatically created by php scripts as it is what the Duplicator plugin does if I'm not wrong).

The problem here probably is not the plugin but php. The user should be the same process that PHP runs under. So you probably need to set that to www-data too if that is your user and group (/etc/php5/apache2/php.ini).

Rinzwind
  • 310,127
  • Ubuntu defaults run PHP processes/workers as www-data, as does Debian, I believe. – Thomas Ward Jun 02 '15 at 11:47
  • Also, the issue with /var/www/html is also group ownership and read/write privs. The other problem is they want any file created by a user to have www-data:www-data, and my guess is that those are network users, not the Wordpress users, so you have to go after Linux file permissions. – Thomas Ward Jun 02 '15 at 11:51
  • Those are network users indeed, it's users I've create in the ubuntu server using sudo useradd -r -s /bin/false USERNAME and which are used to access the local network shared folders – Boris Chevreau Jun 02 '15 at 12:55
  • What if I change the ownership and write permissions of all folders and files back to boris:www-data, then change the envvars for apache to be boris:www-data ? Would that maybe fix the problem since anytime I create a new file it is set as owner being boris:www-data? – Boris Chevreau Jun 02 '15 at 13:10
2

I solved it ! I still think it was an Apache envvars problem, but unsure if that is the particular thing that solved the problem... Anyway here is what I did:

Changed envvars to

export APACHE_RUN_USER=boris
export APACHE_RUN_GROUP=www-data

Ran

sudo chown -R boris:www-data /var/www/

Now it's working so far. Will test further...

Boris Chevreau
  • 189
0

The earlier answer by @krt is definitely the way to go, using the Linux feature of inotify that sends filesystem events and the incrontab tool that subscribes to and does actions based on them.

Otherwise the answer and steps to follow are good, but the command itself needs to be changed.

Here is the command you should add instead:

/var/www/html IN_CREATE /bin/chown -R www-data:www-data '$@/$#'

Explanation:

  • $@ - The heading path of the event, e.g. /var/www/html
  • $# - The trailing path of the event, e.g. some_directory/some_file
  • Path needs to be single-quoted to handle special characters properly, but the function for escaping paths is currently broken in 0.5.12, see the note below ...

So $@/$# becomes /var/www/html/some_directory or /var/www/html/some_directory/some_file

This way the command actually changes the ownership of the newly created/moved file.

In the original version of @krt with the command /bin/chown -R www-data:www-data /var/www/html/, it didn't take into account the file being created but chown'd the entire directory tree recursively every time a file was changed. That is completely unnecessary and could degrade performance if the directory structure is large and files are created often.

NOTE
At the time of the writing, September 6, 2025, the current version 0.5.12 segfaults on recent linux kernels on IN_CREATE events for directories. The function to create a safe path is also flawed, creating a vulnerability for command injection.

To fix these issues, get the fixed 0.5.12a version. Here is the spell how to install incron and replace the binary in Ubuntu/Debian

apt-get install incron
incrond -V  # check the version you're replacing, should print "0.5.12"
cd /usr/local/src
git clone https://github.com/anzz1/incron.git
cd incron
make
cp incrond /usr/sbin/incrond
incrond -V  # should now print "0.5.12a"
service incron restart
anzz1
  • 1
  • 1
  • Welcome to Ask Ubuntu and thanks for your contribution! It's okay to add a new answer (rather than a comment) when there's a lot of explanation needed (like here). Alternatively, even as a new user, you do have the ability to edit the existing answer, but it can be iffy as to whether it will be accepted or not. Usually, I'd recommend starting with an edit, and if it's rejected, enter an alternative answer. In this case, though, we'll just leave your answer in place. Thanks! – NotTheDr01ds Sep 06 '25 at 17:22