38

For files created from the testuser account in the /var/www directory, I need they have g+rwx as permissions, and www-data as group.

How can I achieve this?

I'm creating the files via SSH.

apaderno
  • 1,464
  • 3
  • 23
  • 38
Mr.Gando
  • 557
  • 2
  • 7
  • 10
  • 1
    **How** is your user creating files? Via FTP `stor`/`appe` ? Via HTTP `PUT`? Through a shell account? These details are important, because they greatly affect the possible answers, and need to be in your question. – JdeBP Jan 23 '12 at 13:06
  • Thanks for the input :), I'm creating everything via SSH. – Mr.Gando Jan 23 '12 at 13:11

3 Answers3

73

To set the group, give /var/www the setgid bit:

chgrp www-data /var/www
chmod g+s /var/www

To also adjust subdirectories: find /var/www -type d -exec chmod g+s {} +

This will make all newly created files inherit the parent directory's group, instead of the user's.

To set the default group permissions, you will have to use ACLs. Set a "default" ACL:

setfacl -m "default:group::rwx" /var/www

To also adjust subdirectories: find /var/www -type d -exec setfacl -m d:g::rwx {} +

Note: The file system must have ACL support enabled. Sometimes it is on by default; on ext3 or ext4 you might get "Operation not supported", in which case it must be enabled manually:

  • For a currently mounted filesystem: mount -o remount,acl /

  • Permanently – one of the methods below:

    • at fstab level: edit /etc/fstab to have acl in the options field

    • at filesystem level: tune2fs -o acl /dev/diskname

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • can't you get the subdirectories with chmod -R g+s /var/www? Doesn't seem like you should need the find command. – bobpaul Jan 14 '14 at 00:56
  • 6
    @bobpaul: No, because `chmod` would also get all files. – u1686_grawity Jan 14 '14 at 03:01
  • Note that some commands, in particular `install`, somehow manage to bypass directory default ACLs. – Ulrich Schwarz Dec 12 '18 at 06:41
  • @grawity This is a really great answer and I am sure that there is a solution in there for my problem, but I can't figure it out. I have a `/var/www/html/projects` folder and when www-data creates a file it has `rw-rw-r` permissions but when I do something in console it creates a file with `rw-r--r`. How can I force new created files to always have `rw-rw-r` permissions? – lewis4u Jul 29 '19 at 14:18
  • @lewis4u: Globally or per-directory? The global (well, per-process) default permissions are controlled by `umask`. The per-directory default permissions are changeable using `setfacl` as in the main post. – u1686_grawity Jul 29 '19 at 14:24
  • 1
    I just played around a little bit more and it seems this does the trick for me: `find projects -type d -exec chgrp www-data {} +` `find projects -type d -exec chmod g+s {} +` `sudo setfacl -R -d -m u::rw projects` – lewis4u Jul 29 '19 at 14:29
  • This was very helpful to me in August 2020. – Ken Ingram Aug 17 '20 at 17:15
5

This might have gotten a few people stuck with 'grawity' answer on setgid, if the folder's group is different from your own you may need to run chmod as root but you won't get any error indicating you need to do this.

$ ls -ld dir
drwxrwxr-x 2 luke testgroup 4096 Mar  9 10:44 dir

$ chmod g+s dir                                    #no errors

$ ls -ld dir
drwxrwxr-x 2 luke testgroup 4096 Mar  9 10:44 dir  #but nothing changed

$ touch dir/nosudo && ls -l dir/
-rw-rw-r-- 1 luke luke 0 Mar  9 10:51 nosudo       #and the group is still wrong


$ sudo chmod g+s dir

$ ls -ld dir
drwxrwsr-x 2 luke testgroup 4096 Mar  9 10:44 dir  #the setgid bit is now on

$ touch dir/withsudo && ls -l dir/
-rw-rw-r-- 1 luke luke      0 Mar  9 10:51 nosudo
-rw-rw-r-- 1 luke testgroup 0 Mar  9 10:51 withsudo #and group is set
LukePH
  • 311
  • 3
  • 4
0

The group of the files being created by an user is the group of that user (in /etc/group). The permissions are controlled by the UMASK parameter see this

DrNoone
  • 1,562
  • 1
  • 10
  • 20