This article simply exists to serve as a visual reference when I’m explaining permissions to others. If you are looking to apply the concepts in this article on a live site, make sure you create a backup of the permissions and ownerships before proceeding as this article could break a pre-existing site!
This is one of those things where there is more than one way to go about it. The goal here is to allow multiple users the ability to work with the site via FTP/SFTP using basic permissions and groups.
First, create the shared group. In this case, as my domain is going to be example.com, I will call it exampleadmins:
[[email protected] ~]# groupadd exampleadmins
Now add the preexisting users to the group
[[email protected] ~]# usermod -aG exampleadmins user01 [[email protected] ~]# usermod -aG exampleadmins user02
Now change the group ownership recursively on the website directory:
[r[email protected] ~]# chgrp -R exampleadmins /var/www/vhosts/example.com
Since we want users in the exampleadmins group to have write access, set the group write permissions on the website directory by:
[[email protected] ~]# chmod -R g+w /var/www/vhosts/example.com
To ensure that any new files or directory inherit the group ownership, use the SetGID bit on the directory recursively:
[[email protected] ~]# find /var/www/vhosts/example.com -type d -exec chmod g+s "{}" \;
To ensure that files or directories the user creates or uploads are group writable by default, you need to adjust the default umask for the FTP and SFTP server. For vsftpd which is generally the default FTP server, change the default umask from 022 to 002 by:
[[email protected] ~]# vim /etc/vsftpd.conf ... local_umask = 002 ... [[email protected] ~]# service vsftpd restart
When using SFTP, update the sftp subsystem within /etc/ssh/sshd_config to set a umask of 0002 by:
[[email protected] ~]# vim /etc/ssh/sshd_config ... Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002 ... # Append to bottom of file: Match Group exampleadmins ForceCommand internal-sftp -u 0002 [[email protected] ~]# service sshd restart
Now whenever you need to add additional users, simply create the user with a membership to exampleadmins
[[email protected] ~]# useradd -s /sbin/nologin -d /var/www/vhosts/example.com -G exampleadmins user03
And if the user already exists, simply run:
[[email protected] ~]# usermod -aG exampleadmins user03