The /var/www directory presents a unique permissions dilemma in Linux web development environments. With default root:root ownership, it becomes inaccessible to both web servers and developers while posing security risks if improperly configured.
We need to enable four key access patterns:
1. Web server processes (Apache/Nginx running as www-data)
2. Script interpreters (PHP-FPM, Ruby, Python)
3. Version control systems (Git/SVN)
4. Developer accountsHere's the optimal approach I've validated across multiple production systems:
# Set ownership
sudo chown -R www-data:developers /var/www
# Set directory permissions (rwx for group, r-x for others)
sudo find /var/www -type d -exec chmod 2775 {} \;
# Set file permissions (rw for group, r for others)
sudo find /var/www -type f -exec chmod 664 {} \;
# Special cases for upload directories
sudo chmod -R 2770 /var/www/uploads
sudo chown -R www-data:www-data /var/www/uploadsThe 2 in 2775 sets the SGID bit, ensuring new files inherit the group ownership. This solves the permission inheritance problem across nested directories.
For systems using PHP-FPM with separate pools:
# For PHP-FPM running under user accounts
sudo usermod -a -G developers phpuser
sudo setfacl -R -m g:developers:rwx /var/wwwFor Git repositories within the web root:
# Set core.sharedRepository to maintain group write
git config core.sharedRepository group
sudo chmod -R g+w /var/www/project/.git- Never use 777 permissions
- Regularly audit permissions with:
find /var/www -not -group developers -ls - Implement filesystem monitoring:
sudo apt install auditd
If encountering permission denied errors:
# Check effective permissions
namei -l /var/www/path/to/file
# Verify process ownership
ps aux | grep 'nginx\|apache\|php'
# Check group membership
groups developerusernameManaging /var/www permissions requires balancing security with functionality across multiple stakeholders: web servers (Apache/Nginx), scripting languages (PHP/Ruby/Python), version control systems (Git/SVN), and developer teams. The default root:root ownership creates operational barriers while 777 poses serious security risks.
For most development environments, this setup provides the right balance:
# Set ownership
sudo chown -R www-data:developers /var/www
# Directory permissions (rwx for owner/group, sticky bit)
sudo find /var/www -type d -exec chmod 2775 {} \;
# File permissions (rw for owner/group)
sudo find /var/www -type f -exec chmod 664 {} \;
User/Group Configuration
Create a dedicated group for developers and add relevant users:
sudo groupadd developers
sudo usermod -a -G developers your_username
sudo usermod -a -G developers www-data
Web Server Integration /h2>
For Apache, ensure your virtual host contains:
<Directory /var/www>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
Allow from all
</Directory>
Upload Directories
For directories requiring write access (e.g., uploads):
sudo chmod -R 2770 /var/www/uploads
sudo chown -R www-data:developers /var/www/uploads
PHP File Execution
Add this to php.ini for enhanced security:
open_basedir = /var/www
disable_functions = exec,passthru,shell_exec,system
For Git repositories within /var/www:
git config --global core.sharedRepository group
find /var/www -type d -name .git -exec chmod -R g+rwxs {} \;
Implement ACLs for granular control:
sudo setfacl -R -m g:developers:rwx /var/www
sudo setfacl -R -d -m g:developers:rwx /var/www
This setup ensures secure collaboration while maintaining proper web server functionality and version control integration.