How to Properly Set Write Permissions for Multiple Users (Apache + FTP) in Linux


8 views

When managing web servers, we often face this permission dilemma: Files uploaded via FTP (typically owned by the FTP user) need to be writable by the web server process (usually running as 'apache' or 'www-data'). Simply using chmod 777 is a security risk, while changing ownership to the web server user breaks FTP functionality.

The professional approach involves Linux group permissions. Here's the step-by-step solution:


# 1. Create a shared group
sudo groupadd webcontent

# 2. Add both Apache and FTP users to this group
sudo usermod -a -G webcontent apache
sudo usermod -a -G webcontent your_ftp_user

# 3. Set directory permissions
sudo chown -R :webcontent /var/www/html
sudo chmod -R 2775 /var/www/html

The magic happens through:

  • The setgid bit (2) ensures new files inherit the parent directory's group
  • 775 permissions allow group members read/write/execute
  • SGID persistence maintains permissions for newly created files

For FTP-uploaded files, create a script to maintain permissions:


#!/bin/bash
# post-upload-permission-fix.sh
find /var/www/html -type d -exec chmod 2775 {} \;
find /var/www/html -type f -exec chmod 664 {} \;
chown -R :webcontent /var/www/html

For more complex scenarios, use Access Control Lists:


# Install ACL support
sudo apt-get install acl  # Debian/Ubuntu
sudo yum install acl      # CentOS/RHEL

# Set default ACLs
sudo setfacl -Rdm g:webcontent:rwx /var/www/html
sudo setfacl -Rm g:webcontent:rwx /var/www/html

Remember to:

  • Regularly audit group membership
  • Limit write permissions to necessary directories only
  • Consider using umask 002 in your FTP server configuration

When managing a Linux web server, file permissions become particularly tricky when multiple services need access to the same files. In this case, we're dealing with:

  • Files uploaded via FTP (owned by the FTP user)
  • The Apache web server (running as user apache)
  • Potential other admin users who might need access

The obvious solutions have significant drawbacks:

# Risky approach (world-writable):
chmod 777 filename

# Problematic approach (single owner):
chown apache:apache filename

World-writable permissions (777) are security risks, while changing ownership to apache would break FTP access for the original uploader.

Linux's group permission system provides the perfect mechanism for this scenario:

  1. Create a dedicated group for collaboration
  2. Add both Apache and FTP users to this group
  3. Set appropriate group permissions

Here's how to implement this properly:

# 1. Create a new group (if doesn't exist)
sudo groupadd webcontent

# 2. Add users to the group
sudo usermod -a -G webcontent apache
sudo usermod -a -G webcontent yourftpuser

# 3. Set group ownership on directories
sudo chgrp -R webcontent /var/www/html
sudo chmod -R 2775 /var/www/html

The magic happens in these components:

  • 2: The setgid bit ensures new files inherit the group
  • 7: Owner gets rwx
  • 7: Group gets rwx
  • 5: Others get r-x

For ProFTPd, add this to your config:

<Directory /var/www/html>
    Umask 002
</Directory>

For vsftpd, use:

local_umask=002

Check your configuration with:

ls -ld /var/www/html
# Should show drwxrwsr-x

Create a test file and verify:

touch /var/www/html/testfile
ls -l /var/www/html/testfile
# Should show -rw-rw-r--

For more complex scenarios, consider Access Control Lists:

sudo setfacl -Rm g:webcontent:rwx,d:g:webcontent:rwx /var/www/html

Always follow these principles:

  • Never use 777 permissions
  • Restrict write access to only necessary users
  • Regularly audit your permissions
  • Consider filesystem quotas for upload directories