How to allow easy editing of www-data owned files by a user

I've been trying to find a good solution to this problem for *years*
but I'm still hitting problems with it. The current problem is that
syncthing doesn't deal well with directories and files which have
different owners on different systems.

The essential problem is that web files which are manipulated by
apache need to be owned by www-data but I want to be able to edit
these files as well. In particular I have a wiki where I sometimes
edit the files using the wiki (ownership ends up as www-data) and
sometimes I edit them directly with an editor (ownership ends up as

Currently I use access control lists (setfacl) to make things so that
both chris and www-data can both manipulate files in the wiki
directory regardless of whether they are owned by chris or www-data
but this isn't a perfect solution as the correct settings don't always
get put on new files.

What I really need is:-

All the wiki files are owned by 'chris' (the wiki is rooted in my
home directory and is synchronised across a couple of machines by

www-data can read/write/create files in the ~/chris/wiki directory
but they will always be owned by 'chris'.

Can anyone see a way of implementing this? ... or any other
reasonable solution?


Re: How to allow easy editing of www-data owned files by a user

By Xen at 12/06/2017 - 11:03

I am really happy to see you post this because I have the exact same use

I haven't read the other replies yet but your user becomes part of
www-data and all of the files get www-data as group.

Your wiki needs to create all files as g+w.

It can't create them as chris, but you will need to run a service that
will chown them to your user.

I really have a script somewhere that doesn't work very well atm that
creates automatic reports by mail on what it has changed as well.

So it's not usable now, but a simple cron job,

that will run chown -R chris.www-data ~/wiki/ (basically) will of course
do the trick.

You will just be running this script every 10 minutes :-/.

More sophisticated will do:

find ! -owner chris ! -group www-data -exec chown chris.www-data "{}"

or something similar...


find -type d ! -perms 0771 -exec chmod 751 "{}" ";"
find -type f ! -perms 0660 -exec chmod 660 "{}" ";"

not sure if find syntax is correct.

Re: How to allow easy editing of www-data owned files by a user

By Peter Flynn at 12/05/2017 - 18:05

On 12/05/2017 10:26 AM, Chris Green wrote:
This sounds like the setgid bit in the file permissions would be useful.
We use this for web server accounts where the application requires
ownership by the server process (apache aka www-data) to create
subdirectories and files but the site owner needs to be able do the same.

1. Create the user's login account with useradd or however you do it

2. Create the user's top-level web directory (eg in your existing
/var/www/html or wherever your web server's document root is)

3. For convenience, soft link that directory to ~/web in the user's
login directory (usually something like /home/whatever or
/u/users/whatever) so that the user doesn't need to know where the
document root is

4. If you are moving site files over from another server, unzip or detar
or scp them into this new directory

5. Change the ownership of the new directory and everything in it to the
new user's login account, and the group to the group of the web server
process, eg chown -R xyz:apache newdir

6. Change the setgid bit on the new directory (chmod g+s newdir) and all
subdirectories, eg find newdir -type d -exec chmod g+s {} \;

I'm not sure if this addresses the problem of retaining web server
process ownership of files after editing by the site owner. I think that
may be a function of your editor. I use Emacs, and it seems to honour this.

setgid can be a security risk if the owning process is running with
elevated permissions, but in the scenario described above, all it does
is ensure that any directories created by Apache *or* the site owner
will preserve their owner:group ownership.


Re: How to allow easy editing of www-data owned files by a user

By Chris G at 12/06/2017 - 06:35

On Tue, Dec 05, 2017 at 10:05:42PM +0000, Peter Flynn wrote:

I have a directory 'wiki' in my home directory which is the root of
the whole DokuWiki installation. There is a link from /srv to
/home/chris/wiki so that apache2 serves the wiki on the web.

Much of the time I edit the wiki files directly by going into ~/wiki
and editing the relevant file - DokuWiki uses ordinary text files with
a simple mark up so this is very easy to do and the files are quite
readable as text. Thus most of the time files are owned by 'chris'.

Sometimes though I edit files through the wiki (e.g. if I'm doing it
from someone else's computer, or if it's a very small change) and in
this case some files will get created with www-data ownership.

I run syncthing to synchronise the wiki between my desktop, my laptop
and a virtual server on Gandi hosting.

It was a recent problem with syncthing that made me think I had a
problem with chris/www-data ownership conflicting but having now
cleared that (fairly minor) problem I don't think it was actually
caused by mixed ownership.

My current solution to the mixed ownership issue which does seem to
actually work, uses ACLs. What you do is set permissions as

cd /home/chris
# Set so users chris and www-data can do anything everywhere
setfacl -R -m u:chris:rwx wiki
setfacl -R -m u:www-data:rwx wiki
# Set so new files and directories have the same permissions
setfacl -R -d -m u:chris:rwx wiki
setfacl -R -d -m u:www-data:rwx wiki

As I say I thought this *wasn't* working, hence my original question,
but I now think that it is actually working OK and that the syncthing
problem was caused by somthing else (probably changes on two systems
done close together timewise).

Re: How to allow easy editing of www-data owned files by a user

By Xen at 12/06/2017 - 11:13

Also dokuwiki user :p.

So you keep mixed ownership but full permissions for everyone and the mods
are auto.

So you don't need any chmod script but you could still do a find & chown,

But did you know that in the past, user homes were always created g+s?

You can find traces of it in /etc/default/skel or similar.

This thing really needs a better default solution though, I mean something

The use case is pretty universal and trying to solve all of the
applications would be undoable.