1

I am running into an issue with my Apache install whereby my PHP applications cannot create their log files due to permission denied when attempting to write into the web root.

This is happening on my test server, which is a LAMP stack on Ubuntu 16.04 inside Virtual Box. The installation is pretty much as standard as comes down from apt (user is www-data, /var/www is the web root, as onwned by root).

Each project I wish to run is in it's own Virtual Host, created as follow:

  1. sudo mkdir -p /var/www/site1.com
  2. sudo chown -R $USER:$USER /var/www/site1.com
  3. sudo chmod -R 755 /var/www

When I wish to test, I scp (as the Ubuntu OS user) the code to the /var/www/site directory (actually, I have a sync script which does this whenever it detects code changes).

This is working fine, except for the fact that the app's can't create their log files.

I have seen several answers, including to chmod 777 everything (?!), to add the Ubuntu user to the www-data group, and to add the www-data user to the ubuntu user's group.

My preference is to add the www-data user to the Ubuntu user's group and give g+w privileges to anything that needs to be written;

Is this the correct procedure?

The Naughty Otter
  • 111
  • 2
  • Whoa! There is a reason why www-data is a non-privileged account. Do not add it to any user group because you are having trouble setting update permission. That would be creating a serious security hole! – closetnoc Dec 12 '16 at 17:03
  • @closetnoc cheers! I must admit I am not up to speed on apache user privs. If you have a good reference I'd appreciate it. It's funny how most solutions quoted around result in security issues. Like chmod 777 (and obviously this one) – The Naughty Otter Dec 12 '16 at 17:04
  • I'd be curious if anyone works for an ISP as to how they set the permissions. – The Naughty Otter Dec 12 '16 at 17:07
  • I used to be a web host and a consultant to global telecoms managing their Internet services. I am retired now. I do not like configurations that start out in /var/www/ and create other sites below the first domain created. It is a relatively insecure configuration and easy to make a mistake. This answer is how I like to configure Apache: http://webmasters.stackexchange.com/questions/83316/virtualhost-config-routing-and-wildcard-usage/83320#83320 Here is another example: http://webmasters.stackexchange.com/questions/59764/directing-domain-to-hosting-directory/59768#59768 – closetnoc Dec 12 '16 at 17:31
  • Many times people forget that they have to set the owner, group, an permissions of not only the file, but the directory in which the files sits. How it works is that in order to access a file, any user has to traverse the hierarchy structure (directories) from top to the file itself and at each step of the way permission must exist for the user to perform the desired action. Generally, what happens is that directories created along the way are created with the wrong user and access permission. You want to check these. This is likely what is wrong. – closetnoc Dec 12 '16 at 17:35
  • @closetnoc - thanks for the advice, I've been reading through the apache docs and your linked answers over the past few days. I have taken your advice and moved the web root to the user's home dir and made the relevant changes to the site conf. /home/user/www is 755, /home/user/www/site1.com is 707 and that works. But, having the full web root as g+rwx just doesn't feel write; instead I'm moving the files that the app wants to write to a sub dir, that has g+w instead. – The Naughty Otter Dec 15 '16 at 21:22

0 Answers0