change permissions for /var/www/html
 

I got a book PHP & MySQL: Novice to Ninja by Kevin Yank. I want to learn a bit about these two topics.

Following the instructions, I installed apache2, mysql and php

I run Ubuntu 18.04. I use Bluefish to make files.

Trouble is, when I want to save the file in /var/www/html from Bluefish, I can't.

I've got to sudo them in.

Without causing a security problem, what is the best way to change the permissions?

Make a group and add myself?

Actually, I am the only user on this old laptop.

Don’t get in the Windows mindset and lessen permissions. Sudo is the correct way to do this.

I usually set up a directory under /var/www/html owned by your user with permissions set to 755. Put the content in there.
Set the DocumentRoot to that sub directory.

Doesn’t the web server process need access to that directory though? How is that accomplished in that scenario?

root is the owner of /var/www/html/

root is also the group

Can I add myself to group root? Would that allow me read write access when saving from Bluefish?

Is that a reasonable way to do this?

It has read access to the directory and the files therein as on “other” or “world” user. That’s all it needs to be able to serve the files...to be able to read them.
The owning user has rw group and others are read...for files: -rw-r—r—
for the directory: -rwxr-r-xr-x

No. And root should not be the owner of the files in the Web space...the web server user should be...typically that’s apache.

No user apache or apache2

Should I create a user apache and make him the owner of /var/www?

Should I make a group apache and add myself to it? Or just make myself the owner of /var/www

I just don't know the best way to do this.

shows no group apache

It does have a group www-data:x:33:

Should I be in that group maybe?

See #3
I host more than 70 domains...none of their spaces are owned by the web server user, nor are any of the owning users a member of the web server users group.

No. That is quite incorrect. Apache2 should have read access only, not write access. I'm not sure why that misperception is around at all. It would violate the privilege separation provided by running Apache2 as a separate account to have that very same account be able to write pages which it is serving up.

Anyway, if there is and will be only one account needing access, the quick way is to chown the directories and documents under /var/www/html/ to whatever single user needs access. Be sure that Apache2 can still read the files through o=r and the directories through o=rx.

However, if you have multiple accounts needing write access, then you'll have to add an extra group just for that purpose and work with that.

Either way the account and group that Apache2 is in should not be given write access nor should that group get any other accounts added to it.

The owner:group for the /var/www directory is usually apache:apache. For some reason, the developers at debian/ubuntu decided to change that to www-data:www-data so that is the owner:group you need for that directory on Ubuntu. You can then put other user in the www-data group and you can create sub-directories under /var/www/html with different users/groups.

That is incorrect. Please reconsider that the account and group www-data exist to provide privilege separation. That goes out the window if either are somehow given write access to anywhere.

By default, the normal owner for the /var/www/ directory is root:root. Even in the Debian derivatives that is so. There does exist an account www-data and a group www-data, but neither are used for the file system. The are only used to keep the httpd processes separate from the rest of the system. Giving the HTTP daemon write access weakens the resliance of the system in regards to attack.

Again, the group www-data should not be used for /var/www/ nor should the account www-data be used for /var/www/ except in a few fringe edge cases. For a normal web service, the only thing www-data needs is to be able to read /var/www/ and that can be done with the normal drwxr-xr-x aka 755 directory permissions.

I stand corrected. You are absolutely correct. The owner of the webspace should NOT be the web server user.
I apologize for any confusion.

I still disagree about using groups to manage multiple users in that space however.
A snippet of the setup on my server:
Users user1 and user2 have ftp access to the content they maintain themselves.
We maintain the content on site3 and site4, so those are both owned by us.
As all those directories (and the files therein) are "world readable" the web user can serve them.

/var/www/html is owned by root:root.

If you have only one user, then that is the most convenient way.

Once you have more than one, the groups come into play. In some file systems, ACLs max out at much less than two dozen accounts, I cannot recall what the limit is for EXT4 though.