• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Feedback

Let us know what you think of our Knowledge Center!

Open Cloud Community

Learn about Rackspace products, ask questions, and share your knowledge in our Open Cloud Community.

How to Add Linux User With Document Root Permissions

  • Article ID: 1259
  • Last updated on October 9, 2012
  • Authored by: Rackspace Support
  • (8 Comments)

This article will walk you through setting up a Linux user with read and write permissions for your web document root, usually the /var/www/ directory. Connecting with this user via SFTP will let you upload your website content directly to the /var/www/your/site/folder.

For the purposes of this example we'll use an account named "demo". Be sure to replace "demo" in the examples with your preferred name.

These commands require superuser privileges so they assume you are running them from an account with sudo privileges.

Getting the group and directory

We'll need to know the group the web server process is running under as well as the location of your web server's document root. This information can usually be found in the web server's config file (like httpd.conf or apache2.conf for apache).

We've listed the default values for the apache web server running on some Linux distributions below.

CentOS, Fedora, and RHEL

On Red Hat-based systems apache runs under the group "apache" with a document root of "/var/www/html".

Ubuntu and Debian

On Debian-based systems apache runs under the group "www-data" with a document root of "/var/www".

Create or modify a user

Now we can either create a new user or modify an existing user for our purposes.

Creating a new user

If we're creating a new user, we'll want it to be in the same group as the web server with its home directory set to your document root.

Remember to change the values to match your web server's settings and the username you're using.

On CentOS, Fedora, or RHEL, the command to create the user would look like this:

sudo useradd -d /var/www/html -G apache demo

On Ubuntu or Debian systems you would use different values:

sudo useradd -d /var/www -G www-data demo

Once the user is created you'll need to set its password as well.

sudo passwd demo

You can now skip to the section on changing the document root to be group-writable.

Modifying an existing user

If you want to modify an existing user you'll need to add it to the group used by your web server.

On CentOS, Fedora, or RHEL, the command would look like this:

sudo usermod -a -G apache demo

And on Ubuntu or Debian it might look like:

sudo usermod -a -G www-data demo

If you want to change the account to use the document root as its home directory you can do that too.

On CentOS, Fedora, or RHEL you would run:

sudo usermod -d /var/www/html demo

And on Ubuntu or Debian:

sudo usermod -d /var/www demo

Changing the document root permissions

Now we'll change the document root so it and its contents are in the same group as the web server.

Setting the group

On CentOS, Fedora, or RHEL run:

sudo chgrp -R apache /var/www/html

And on Ubuntu or Debian:

sudo chgrp -R www-data /var/www

Setting the permissions

Next we make the document root group-writable, but we'll also want to set the "setgid" permission on the document root directory itself. The setgid permission will ensure that new files created in the document root will inherit the group ID from their parent directory.

On CentOS, Fedora, or RHEL you can set the right permissions with the commands:

sudo chmod -R g+w /var/www/html
sudo chmod g+s /var/www/html

The Ubuntu and Debian versions of the commands would be:

sudo chmod -R g+w /var/www
sudo chmod g+s /var/www

Connect and test

Now you can connect to your server via sftp with the user account you created or modified. Try uploading a file to make sure the permissions were set correctly. If you get a permission denied error run an "ls -la" in the document root to check the directory permissions.



© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER

8 Comments

hello

on centos 6, logged in as root in putty, when i type in:

usermod -a -G apache demo

it returns:

usermod: no changes

however i continue through the steps and the user still can not upload or delete files from var/www/html (after restarting apache).

i am connecting via ftp on port 21 (i need to be able to do this to run a restore script temporarily) and in vsftpd.conf have chroot_local_user=NO and in iptables i have -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT so the user can browse around folders at the moment, but cannot make any changes it seems.

i want to be able to give this user privileges to add, edit, delete files and folders in var/www/html.

thanks!
By rw1 on Jul. 30, 2012

That does sound like a permissions issue. When you tried uploading a file, did it tell you "Permission denied"?

You might try running "ls -l /var/www" and check the results. Make sure the group for the html directory is "demo". Also check the permissions on the directory - they should look something like "rwxrwxr-x" if the permissions are properly set.

It won't hurt to run both the "chgrp" and the "chmod" commands again. Make sure to either run them as root or use the "sudo" command with them.
By jered.heeschen on Jul. 30, 2012

This article is very helpful and offers some good commands to use, but the formatting is brutal.

Because all of the information is the same text weight and font size, it is hard to pull the good info out.
By Matt B on Oct. 8, 2012

Ack! Thanks for drawing attention to this Matt. Looks like the article's in Markdown but wasn't flagged that way on the backend. We'll get that fixed right now.
By jered.heeschen on Oct. 9, 2012

This approach will not lock the user to the document root folder, will it? In other words, the user will still be able to navigate the entire server folder hierarchy via sftp even though he will not be able to upload or delete files in any folder other than the document root and its subfolders, correct?
By Owkaye on Jan. 19, 2013

Right. The instructions set up a user with its home directory set to the document root directory, but it still should be able to access any other directories and files on the system for which the permissions allow it. If you want the user to be able to change files in another directory too you'd have to modify permissions there as well.

For more details on Linux file permissions, see this artice series:

http://www.rackspace.com/knowledge_center/article/linux-file-permission-concepts
By jered.heeschen on Jan. 19, 2013

So assume for a moment that a CMS creates new files in that docroot. In this case, they will be to permission 644 by default and then your demo user will have no control to modify/delete.

Any suggestions for how to solve for this?

By Neil on May. 27, 2013

You can set the umask for the web server user to 002 to cause it to create new files with group write permission set. You can do this in a few ways - you can set it with "umask 002" in the web server user's profile, or if you're running apache you can add "umask 002" to the main apache config file.
By jered.heeschen on May. 28, 2013

Add new comment