This article simply exists to serve as a visual reference when I’m explaining permissions to others. If you are looking to apply the concepts in this article on a live site, make sure you create a backup of the permissions and ownerships before proceeding as this article could break a pre-existing site!
This is one of those things where there is more than one way to go about it. The goal here is to allow multiple users the ability to work with the site via FTP/SFTP using basic permissions and groups.
First, create the shared group. In this case, as my domain is going to be example.com, I will call it exampleadmins:
[root@web01 ~]# groupadd exampleadmins
Now add the preexisting users to the group
[root@web01 ~]# usermod -aG exampleadmins user01 [root@web01 ~]# usermod -aG exampleadmins user02
Now change the group ownership recursively on the website directory:
[root@web01 ~]# chgrp -R exampleadmins /var/www/vhosts/example.com
Since we want users in the exampleadmins group to have write access, set the group write permissions on the website directory by:
[root@web01 ~]# chmod -R g+w /var/www/vhosts/example.com
To ensure that any new files or directory inherit the group ownership, use the SetGID bit on the directory recursively:
[root@web01 ~]# find /var/www/vhosts/example.com -type d -exec chmod g+s "{}" \;
To ensure that files or directories the user creates or uploads are group writable by default, you need to adjust the default umask for the FTP and SFTP server. For vsftpd which is generally the default FTP server, change the default umask from 022 to 002 by:
[root@web01 ~]# vim /etc/vsftpd.conf ... local_umask = 002 ... [root@web01 ~]# service vsftpd restart
When using SFTP, update the sftp subsystem within /etc/ssh/sshd_config to set a umask of 0002 by:
[root@web01 ~]# vim /etc/ssh/sshd_config ... Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002 ... # Append to bottom of file: Match Group exampleadmins ForceCommand internal-sftp -u 0002 [root@web01 ~]# service sshd restart
Now whenever you need to add additional users, simply create the user with a membership to exampleadmins
[root@web01 ~]# useradd -s /sbin/nologin -d /var/www/vhosts/example.com -G exampleadmins user03
And if the user already exists, simply run:
[root@web01 ~]# usermod -aG exampleadmins user03