SFTP permission denied on files owned by www-data

Ubuntu.com has pretty good serverguides, such as Apache guide. Where did you get your procedures you so carefully wrote down? I've never had to go to that much trouble for any of the servers I've set up, although I'm open to the possibility that I haven't been doing it right - also, I haven't actually install servers for anything that is very public, or very large, so there could be security holes that I don't know about.

However, I've never needed to be a member of the www-data group, and no source files in www are owned by www-data. My understanding is that this is used by Apache only for its own files, and it will not have write permissions to any of the other files itself, because in theory, no important files will allow www-data to have write permission. I'd guess that files owned by www-data would give read-only permission to everyone else, and nobody should have write permission to its files. I could be totally wrong, of course, and if I am, I hope someone will tell me and point me to actual documentation that explains differently (not to some forum where a random internet user like me has produced instructions that worked for him).

Perhaps I'm missing something, but your problem should be fairly straightforward. The user that is logged in using sftp needs to be a member of the group www-data, and the files you are trying to modify must have write permissions for the group www-data. It doesn't make sense to me that you can modify the files using ssh, but not using sftp; are you sure you are logging in to the same account for both? In sftp, you can enter commands such as !groups to list your groups, or !whoami to check what login name you are using. The results should match what you see using ssh (with the same commands minus the exclamation point).

You also should be able to use chmod, chown, chgrp from sftp if you have permission to do so.

By the way, I think your list has at least one pretty bad command:

sudo chmod -R g+rw /var/www

This gives the world write permission to every file and folder in /var/www. This sounds like a bad idea. Normally, only root has write permission to these directories, unless specific ones need more permission, usually only single directories.

Note: This was an error on my part. Thanks to DonalLafferty for pointing this out, that it specifies "g", not "a", so it only changes group permissions. My tired old eyes (or a bad font) must have read it as "a".

Edits for clarification

Normally, files created by Apache are read-only for both the www-data group and all other users, same as the root-owned files in /var/www. So, there should be no reason to make anyone a member of www-data. The issue is giving everyone write access, which is a different case. This should be done by making specific directories available within your site, and this is done simply by using chmod, either with sudo, since it is probably owned by root, or by making the owner yourself and not using sudo.

If you have more devs that need access to the entire site, that is when you want to make a user+group such as "webmasters", make it the owner of the site, give write permissions to that group, and make all devs members of that group. So the listing for the site directories would be something like:

drwxrwxr-x  ##  webmasters     webmasters   #### ####-##-## ##:##  mysite.com

More Edits

I've since realized that you don't really need to create a user "webmasters", just a group. Then the files can be owned by root:webmasters, ie root is the owner, but webmasters is the group.

In answer to questions below, the files that Apache writes will be owned by www-data, and group www-data. These files are not normally something you write to, so non-members of www-data may have read-only access - I think it depends on the directory permissions. If you do need more than occasional write access, then adding yourself to the group might be useful. Usually you make specific directories world writable for content saved by Apache. Consider also that most shared web hosting running Apache without shell access would not even have a way to set up groups.

But, Apache can read files even owned by root. Almost all files have world-readable access, just not writable. So, unless you want to change this, Apache doesn't need to be in the webmasters group.

This is all basic Linux setup, not really Apache. Apache only cares about access from within the web server, and that's set by the config files. For this reason, the Ubuntu documentation link I included in my post should be considered a better source than a public wiki.

By the way, the O'Reilly Apache Cookbook says "Document directories, such as htdocs, cgi-bin, and icons, will have to have permissions set in a way that makes the most sense for the development model of your particular web site, but under no circumstances should any of these directories or files contained in them be writable by the web server user."

Finally, using ACLs is a good way to set file permissions if you need more control. It may even be a good way to set them all the time, and is something I should investigate.


I noticed you hadn't used chown.

To properly set the ownership of the files/folders you can set the whole directory this way: chown -R www-data:www-data

This sets ownership to group www-data and user www-data

Also, you can do this as a temporary workaround :

chmod 777 /var/data/<filename> or chmod 777 /var/data/<foldername>

edit the file(s) as needed, then

chmod 644 /var/data/<filename> or chmod 755 /var/data/<foldername>

Be careful of using the "-R" switch, as it changes the permissions of all the sub files and folders as well.

664 is the Apache standard file permissions, and 755 the standard folder permissions.

Hope this helps :)

Star