166

Having installed the web server is there a simple way to set a user able to use the graphic interface to copy files and directories to the local web server /var/www

I gave myself administrative privileges in Ubuntu but it still doesn't allow copies.

Jorge Castro
  • 71,754
k_graham
  • 1,761

8 Answers8

255

If you make /var/www writeable by its group and add the user to the group, that user will not have to use sudo. Try this:

sudo adduser <username> www-data
sudo chown -R www-data:www-data /var/www
sudo chmod -R g+rwX /var/www

The user should then be able to edit /var/www/ files without hassle.

The first line adds the user to the www-data group, the second line clears up any files with messed up ownership, and the third makes it so that all users who are members of the www-data group can read and write all files in /var/www.

If you are logged in as <username> you need to log out and log back in for the group membership to take effect.

Flimm
  • 41,766
Azendale
  • 11,891
  • 39
    I do this, plus a few twists: sudo adduser <username> www-data; sudo chgrp -R www-data /var/www; sudo chmod -R g+rw /var/www; find /var/www -type d -print0 | sudo xargs -0 chmod g+s

    logout and login again to pick up your new group.

    I do the chmod g+s to force new files and directories to pick up the group owner (www-data), making sure that my permissions change propagates.

     – Don Faulkner Apr 04 '12 at 02:54
  • This is less graphical but it's certainly a more efficient thing to do than use nautlius as sudo :) +1 for this – itsols Oct 15 '12 at 11:37
  • @azendale As simple as it may sound, I still cannot seem to write any files into my www folder. I wonder what I'm missing... – itsols Oct 15 '12 at 14:51
  • 15
    @DonFaulkner For security reasons, it's probably better keep /var/www owned by root:root, so instead of sudo chgrp -R www-data /var/www it better be sudo chgrp -R www-data /var/www/*. – Desmond Hume Nov 12 '12 at 14:42
  • @DesmondHume, that depends on what you're doing. A root owner will kill any web app that needs write access to the file system. Of course, that's also a big attack vector. One model I've seen creates a separate vhost & user:group for each web app, providing some separation at least. You can still add the developers to the group for the apps they're working on. – Don Faulkner Nov 18 '12 at 18:57
  • 2
    Weirdly enough, after running those 3 commands, some of my sub-folders and files (like composer.json and LICENSE) are displayed using the binary icon. Opening the composer.json in a text editor shows a blank file and the worst thing is that I can't browse some of the sub-folders either, I even tried the additional command as suggested by @DonFaulkner and still no luck. If I use the terminal as root everything is as it should be. Anyone has any ideas why this happens? – Alix Axel Jan 23 '13 at 04:35
  • 5
    @itsols you have to log out and then log in for it to work. – Strong Like Bull Mar 13 '13 at 19:16
  • 1
    @DonFaulkner - Would you mind elaborating on how having files owned by root might be an attack vector? (I'm new to all this, and I'm confused because some seem to advocate a when-in-doubt,-own-by-root approach to security, while others adamantly say don't-own-by-root.) – Andrew Cheong Apr 30 '14 at 03:08
  • For those who are interested, the correct permissions for Wordpress: http://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress – Junior Mayhé Mar 31 '15 at 15:24
  • 2
    Clearly I'm outnumbered because 102 people upvoted this, but adding privileges to the www-user user or group is a terrible idea and completely negates important security features that were designed into the way the web server operates. The point of the www-user account is that it is an unprivileged account; it is not able to write to modify any files on the website. The server is specifically designed to start as a privileged account and then fork off processes that run under the unprivileged account (www-data) in order to contain any attack or bug in the server process or web apps. – thomasrutter May 29 '15 at 02:59
  • 2
    The www-data group is not intended and should not be used to add regular users to. You should be creating a new group of your own, and add users to that group, and give that group permission to edit the relevant files. Leave the www-data user and group as it is as there is no logical reason that its permissions need to be changed. It's your and your developers that need additional permission here, no tthe web server. – thomasrutter May 29 '15 at 03:00
  • 1
    I am aware that some web applications require you to enable write access to certain files or directories, but these should always be the exception to the rule, and limited only to those files or directories that really need it, and you should take care to configure your web server not to allow direct execution (eg interpret as PHP or through CGI) of such files. – thomasrutter May 29 '15 at 03:03
  • Perfect!!!!!!!!! – Davinder Kumar Nov 22 '17 at 04:33
  • It’s obvious that the web server needs read privileges (because it wants to serve those files) and that your own user account needs read and write privileges (because that’s what the question asks for). But why would you give the web server write privileges on all files as well (by making the files group-writable)? I guess www-data includes the web server, which is probably Apache. As per the principle of least privilege, the web server should only need write privileges on select files and folders. – caw Sep 09 '18 at 08:13
  • I know this a little old, but can/should you also do that to the apache /ets/apache2/sites-available folder so they can upload config files? – Wally Kolcz Sep 01 '21 at 13:34
26

You can chown, that is change the owner of that folder. This will allow you to change the user and group of the folder, allowing your user to add/remove files on it. To do it, replace yourusername with your name and run:

sudo chown yourusername.users /var/www

And thats it.

However, I preffer to create a virtualhost in my home folder, it's much easier.

Basically it allows you to use any folder as a apache serving folder. To show it how it simple, lets assume that your username is username and that the folder that you want to serve is /home/username/www

Create the following file (for instance mywebprojects) in /etc/apache2/sistes-available replacing the username and the folder path (basically just copy and paste and replace in #CHANGE HERE):

<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    # CHANGE HERE
    DocumentRoot /home/username/www

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    # CHANGE HERE
    <Directory /home/username/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

Now lets create the www folder, add a simple hello world, disable the default website (/var/www), enable our website mywebprojects and restart apache.

mkdir ~/www 
echo "<html><h1>Hello World</h1></html>" > ~/www/test.html
sudo a2dissite default #
sudo a2ensite mywebprojects
sudo service apache2 restart

And that it, now you dont need to go to /var/www, you simply add files to your www (or other givename) and it's already there :).

Marcos Roriz Junior
  • 4,627
  • exactly what I did. One plus for this is you can change the directory to a shared drive so all files will be available when booted in Windows/OSX. – Jason Jan 05 '11 at 14:05
  • @jason thanks for that comment, this is what I'm wanting to do, too. I'm learning Ubuntu but if I get stuck on something in *ngix, I want to be able to use Windows to not slow down development. – HPWD May 17 '20 at 21:18
  • I did something wrong or the version of Ubuntu I am using requires something different. – HPWD May 17 '20 at 21:36
8

Method 1:

  • Press ALT+F2 and enter gksudo nautilus and then click Run.

    alt text

  • It will open nautilus with root previleges.
  • Goto Filesystem var www and now you can add/copy/paste your files.

Method 2:

  • Install nautilus-gksu Install nautilus-gksu
  • After installing type nautilus -q in your terminal to refresh right click menus.
  • Now you will find 'Open as administrator' entry in your nautilus right-click menu.
  • When you need to open any files with root permission, you just have to right-click on that file/folder and select 'Open as Administrator'.

  • It will open that file/folder with root permission.

    alt text

Community
  • 1
karthick87
  • 81,947
  • 1
    This is definitely the right way to go! I wonder why this wasn't the selected answer. The other methods involve messing with the permissions and I wouldn't risk my system by doing so. +1 for your answer. – itsols Jun 11 '12 at 15:13
  • 6
    @itsols: I completely disagree - you risk your system by granting Nautilus complete root access to your filesystem instead of properly configuring permissions to allow access to /var/www. One accidental push of the [delete] key and you could end up with an unbootable system. – Nathan Osman Oct 12 '12 at 00:43
  • @GeorgeEdison But this is only to set the permission. And after this is done, we close nautilus and work as usual. Is this really that bad? Excuse me for my ignorance here. Despite being an Ubuntu user since version 5.x, I still find setting up a development machine quite challenging and there seems to be no clear-cut way of doing it (for me, at least... – itsols Oct 15 '12 at 11:36
  • @itsols: The second part of this answer is the preferred method and is the one I use. – Nathan Osman Oct 15 '12 at 18:00
  • gksudo and gksu are no longer supported in Ubuntu. – Flimm Jan 25 '23 at 13:29
6

It could be as simple as sudo usermod -a -G developers $username using ACL.

That takes a little work, though, to start. This is for Ubuntu 10.10 at least. First mount the file systems with the acl option in /etc/fstab.

sudo vim /etc/fstab

UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 defaults,acl 0 1

sudo mount -o remount,acl /

Then make a group to which a user may belong for this purpose.

sudo groupadd developers
sudo usermod -a -G developers $username

The user needs to log out and in again to become a member of the developers group.

Of course, do not do this if you have content in the /var/www directory that you want, but just to illustrate setting it up to start:

sudo rm -rf /var/www
sudo mkdir -p /var/www/public
sudo chown -R root:developers /var/www/public
sudo chmod 0775 /var/www/public
sudo chmod g+s /var/www/public
sudo setfacl -d -m u::rwx,g::rwx,o::r-x /var/www/public

Then replace references to "/var/www" with "/var/www/public" in a config file and reload.

sudo vim /etc/apache2/sites-enabled/000-default
sudo /etc/init.d/apache2 reload

If we wanted to restrict delete and rename from all but the user who created the file:

sudo chmod +t /var/www/public

This way, if we want to create directories for frameworks that exist outside the Apache document root or maybe create server-writable directories, it's still easy.

Apache-writable logs directory:

sudo mkdir /var/www/logs
sudo chgrp www-data /var/www/logs
sudo chmod 0770 /var/www/logs

Apache-readable library directory:

sudo mkdir /var/www/lib
sudo chgrp www-data /var/www/logs
sudo chmod 0750 /var/www/logs
  • Could you explain what's up with the UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-line? Is it meant to be added literally or do want the user to find the line and edit the options behind? – MadMike Oct 15 '13 at 07:34
  • Why don't you skip the sudo rm -rf /var/www-step. It doesn't really seem necessary . – MadMike Oct 15 '13 at 07:38
  • @MadMike it's meant to be filed in with hexadecimal digits. To find out what your various partitions are labelled, run sudo blkid – Azendale Oct 11 '14 at 06:41
  • 1
    @Azendale When I wrote the comment it was meant as a suggestion on how to improve the answer. Today I know I should suggest this much more directly. Like: Please add on how to fill the UUID=xxxx-part like with a sudo blkid. – MadMike Oct 12 '14 at 21:08
0

Although this question is old, the answer needs to be brought up to date.

Let's consider the following :

You state you gave yourself "administrative privileges". And by the accepted answer here user and group www-data now has permissions to write to the directory in question.

Out of the box, when you install a LAMP stack, /var/www directories and files are recursively owned by user and group root:root, unless you have changed the default ownership/permissions. Which in your case is true. To confirm :

cd /var/www && ls -l

The output with default LAMP stack installation :

drwxr-xr-x 2 root root 4096 Sep  1 19:53 html

Above, there is a reason why /var/www and html directories are owned by user and group root:root on a default level, it gives read/executable permissions only to others which includes www-data. This conforms to least privileges security aspect. We wouldn't want an attacker to gain access to the www-data user/group which is the most vulnerable here, with permissions to write a script and takeover the server!

This should help understand the default permissions of the html directory created when apache/nginx was installed :

Owner Group Other
read, write & execute read & execute read & execute
4+2+1=7 4+1=5 4+1=5

What we can do to safely use your_domain directory to transfer directories and files in a graphical interface with the necessary permissions is to :

  1. Assign ownership to the directory in question :

    sudo chown -R $USER:$USER /var/www/your_domain

  2. Now check the permissions of /your_domain :

    cd /var/www && ls -l

  3. From the output here we can clearly see that your_user is owner and group and that others ( www-data ) have read/execute permissions only. Which is a safe way to not compromise the web server and other users directories :

    drwxr-xr-x 2 root root 4096 Sep  1 19:53 html
drwxr-xr-x 2 your_user  your_user  4096 Sep  2 10:49 your_domain

  4. Reload Apache :

    sudo systemctl reload apache2

Once this is done, here is a "simple" way to add files to /var/www/your_domain :

Install vsftpd on your server and FileZilla on the client machine :

  1. You can follow this guide to install and setup both vsftpd and FileZilla.

  2. Just replace the /home/username/ftp/files to suite your needs and substitute where needed username ( in the guide username is sammy ) with your_username.

    Note : You may need to add this entry pasv_enable=Yes to your /etc/vsftpd.conf file for Windows client.

  3. After vsftpd setup is done, we create the directory /home/username/ftp/files/www and mount /var/www/your_domain to this directory.

    1. Create the mount directory :
    mkdir /home/username/ftp/files/www
    1. Edit /etc/fstab to add the mount point :
    /var/www/your_domain /home/username/ftp/files/www none defaults,bind 0 0

    Source : here

  4. Reboot the server.

Now the previous method of creating a permanent mount will work with a minimal image ( i.e. Container ) where it's fstab file indicates UNCONFIGURED FSTAB FOR BASE SYSTEM, this will NOT work with physical servers.

So, if you still insist on FTP a temporary approach would be to bind the directories ( This method cannot survive system reboot ) like so :

sudo mount --bind /var/www/your_domain /home/username/ftp/files/www

Another, and permanent approach, would be to simply use a symbolic link. Keep in mind with this method you would need to choose where Protocol: in FileZilla -> SFTP-SSH File Transfer Protocol. To create the symbolic link we cannot use an absolute path ( i.e. /var/www/your_domain ). We will use the relative path from /home/username/ftp/files/www to /var/www/your_domain. The command would be :

sudo ln -s ../../../../../var/www/your_domain /home/username/ftp/files/www

You will find a guide for SFTP setup here.

And finally here is a simple way to edit files in /var/www/your_domain :

  1. Edit the files on your development machine.

  2. Stop your web server, example : sudo service apache2 stop or sudo service nginx stop.

  3. Add the files with FileZilla with protocols SFTP(symbolic link method) or FTP(mount method).

  4. Restart the web server : sudo service apache2 start or sudo service nginx stop.

kkyucon
  • 76
0

Easiest way to do is follow the steps given below:-

  1. Press Alt + Ctrl + T and terminal will open and type sudo -s and login with your password.
  2. Now you're logged in as root.
  3. Now type in nautilus and it will open the home folder for you as root. So now you can easily edit the files and do whatever you want.

Hope this helps. :)

Aditya
  • 13,416
Mitayshh Dhaggai
  • 1
0

/var/www folder is owned by the root.. you have to change the ownership to your own username for modifying files in this folder. For this you can try the following commands..

sudo -i // to change to root console

sudo chown -R <username> <path> // for eg. sudo chown -R scott /var/www/html (scott is the username, -R indicates recrusive)

Now the ownership of the folder /var/www/html will be assigned to the user scott. Now scott can copy/move files in this folder.

Anoop
  • 9
  • 1
-1

If you're using the server version, try webmin. It has a great web UI and file manager. Either that or Filezilla

John Hallquist
  • 1
  • 4
    Can you explain "If you're using the server version"? Any package that can be installed on Ubuntu Server can be installed on the desktop version of Ubuntu. – Eliah Kagan Aug 24 '12 at 00:45
  • @EliahKagan yes. Webmin and/or FileZilla can be installed on both server and desktop versions. – kkyucon Sep 08 '22 at 20:08