No permission to /var/www/ folder even though root

Question

I am currently trying to modify the content of /var/www/mywebsite via sftp with my user "exampleadmin" which has root permissions and is in the group "root".

When I try to add a file or directory via SFTP I receive the error message: permission denied. As of now I am not fully understanding why since my user should have root access.

I listed the folder content of /var/www with the command ls -la and got the following results:

drwxr-xr-x  4 root root 4096 May  6 10:00 .  
drwxr-xr-x 14 root root 4096 May  6 07:59 ..  
drwxr-xr-x  3 root root 4096 May  6 09:49 html  
drwxr-xr-x  2 root root 4096 May  6 10:00 mywebpage  

Now I have several questions about the permissions that I could not find answers to yet:

• If I change the owner or group of the folders/files, will the "root" owner/group be removed, meaning they have no further access?

• Is it possible to allow multiple groups and/or users specific permissions such as in Windows or can I only assign a single owner and a single group?

• What If I want to have the following setup:

  • user 1 with full access
  • user 2 with read/execute
  • user 3 with deny
  • other read-only

If this is the case, there must be a best practice for setting up apache file permissions on a server.

Answer 1

Apache and similar server programs are usually not run by the root user since this could lead to a security leak if they contained a bug.

It is recommended for web pages (that are not modified by Apache) to be owned by root and have the read permissions for everyone but it does not allow the server to modify the contents.

Apache is usually run under the user www-data. To allow write access to your /var/www, you should change the ownership of the relevant data. You should limit the access to the folders you really need to modify using the server.

sudo chown -R www-data:www-data /var/www/<relevant subfolder>

To your particular questions:

If I change the owner or group of the folders/files, will the "root" owner/group be removed, meaning they have no further access?

As long as you keep the read permissions for everyone, everyone can read them. The ownership by root is generally the most restrictive one.

Is it possible to allow multiple groups and/or users specific permissions such as in Windows or can I only assign a single owner and a single group?

If you need multiple users to have specific permissions, you have to create a group for them in Linux.

What If I want to have the following setup: …

This is a very specific setup and you should ask another question if it’s not just a theoretical problem. You might want to get some information about ACL first.