How to allow easy editing of www-data owned files by a user

Peter Flynn peter at silmaril.ie
Tue Dec 5 22:05:42 UTC 2017 

On 12/05/2017 10:26 AM, Chris Green wrote:
> I've been trying to find a good solution to this problem for *years*
> but I'm still hitting problems with it.  The current problem is that
> synching doesn't deal well with directories and files which have
> different owners on different systems.
> 
> The essential problem is that web files which are manipulated by
> apache need to be owned by www-data but I want to be able to edit
> these files as well. 

This sounds like the setgid bit in the file permissions would be useful. 
We use this for web server accounts where the application requires 
ownership by the server process (apache aka www-data) to create 
subdirectories and files but the site owner needs to be able do the same.

1. Create the user's login account with useradd or however you do it

2. Create the user's top-level web directory (eg in your existing 
/var/www/html or wherever your web server's document root is)

3. For convenience, soft link that directory to ~/web in the user's 
login directory (usually something like /home/whatever or 
/u/users/whatever) so that the user doesn't need to know where the 
document root is

4. If you are moving site files over from another server, unzip or detar 
or scp them into this new directory

5. Change the ownership of the new directory and everything in it to the 
new user's login account, and the group to the group of the web server 
process, eg chown -R xyz:apache newdir

6. Change the setgid bit on the new directory (chmod g+s newdir) and all 
subdirectories, eg find newdir -type d -exec chmod g+s {} \;

I'm not sure if this addresses the problem of retaining web server 
process ownership of files after editing by the site owner. I think that 
may be a function of your editor. I use Emacs, and it seems to honour this.

setgid can be a security risk if the owning process is running with 
elevated permissions, but in the scenario described above, all it does 
is ensure that any directories created by Apache *or* the site owner 
will preserve their owner:group ownership.

///Peter

More information about the ubuntu-users mailing list