You can create a new group with both the apache user and FTP user as members and then make the permission on the upload folder 775. This should give both the apache and FTP users the ability to write to the files in the folder but keep everyone else from modifying them.

您可以创建一个以 apache 用户和 FTP 用户为成员的新组，然后将上传文件夹的权限设置为 775。这应该使 apache 和 FTP 用户都能够写入文件夹中的文件，但保留其他所有人从修改它们。

I would go with Ryan's answer if you really want to do this.

如果你真的想这样做，我会同意瑞恩的回答。

In general on a *nix environment, you always want to err on giving away as little permissions as possible.

通常，在 *nix 环境中，您总是希望尽可能少地放弃权限。

9 times out of 10, 755 is the ideal permission for this - as the only user with the ability to modify the files will be the webserver. Change this to 775 with your ftp user in a group if you REALLY need to change this.

10 次中有 9 次，755 是对此的理想权限 - 因为唯一能够修改文件的用户将是网络服务器。如果您真的需要更改此设置，请将其与组中的 ftp 用户一起更改为 775。

Since you're new to php by your own admission, here's a helpful link for improving the security of your upload service: move_uploaded_file

由于您自己承认是 php 的新手，因此这里有一个有用的链接，可用于提高上传服务的安全性： move_uploaded_file

Or at least 766.

或者至少是 766。

• read = 4
• write = 2
• execute = 1

• 阅读 = 4
• 写 = 2
• 执行 = 1

7 = read + write + execute

7 = 读 + 写 + 执行

6 = read + write

6 = 读 + 写

• first number: owner
• second number: group
• third number: other users

• 第一个数字：所有者
• 第二个数字：组
• 第三个数字：其他用户

I would support the idea of creating a ftp group that will have the rights to upload. However, i don't think it is necessary to give 775 permission. 7 stands for read, write, execute. Normally you want to allow certain groups to read and write, but depending on the case, execute may not be necessary.

我会支持创建一个有权上传的 ftp 组的想法。但是，我认为没有必要给予 775 许可。7 代表读、写、执行。通常您希望允许某些组进行读写，但根据情况，可能不需要执行。

What is important is that the apacheuser and group should have minimum readaccess and in some cases executeaccess. For the rest you can give 0access.

重要的是apache用户和组应具有最小read访问权限，在某些情况下应具有访问execute权限。对于其余的，您可以授予0访问权限。

This is the most safe setting.

这是最安全的设置。

I will add that if you are using SELinux that you need to make sure the type context is tmp_t You can accomplish this by using the chcon utility

我会补充一点，如果您使用的是 SELinux，则需要确保类型上下文是 tmp_t 您可以使用 chcon 实用程序来完成此操作

chcon -t tmp_t uploads

chcon -t tmp_t 上传

Remember also CHOWNor chgrpyour website folder. Try myusername# chown -R myusername:_www uploads

也请记住CHOWN或chgrp您的网站文件夹。尝试 myusername# chown -R myusername:_www uploads

Based on the answer from @Ryan Ahearn, following is what I did on Ubuntu16.04 to create a user frontthat only has permission for nginx's web dir /var/www/html.

根据来自 的答案@Ryan Ahearn，以下是我在Ubuntu16.04 上所做的，以创建一个front仅对 nginx 的 web 目录具有权限的用户/var/www/html。

Steps:

脚步：

* pre-steps:
    * basic prepare of server,
    * create user 'dev'
        which will be the owner of "/var/www/html",
    * 
    * install nginx,
    * 
* 
* create user 'front'
    sudo useradd -d /home/front -s /bin/bash front
    sudo passwd front

    # create home folder, if not exists yet,
    sudo mkdir /home/front
    # set owner of new home folder,
    sudo chown -R front:front /home/front

    # switch to user,
    su - front

    # copy .bashrc, if not exists yet,
    cp /etc/skel/.bashrc ~front/
    cp /etc/skel/.profile ~front/

    # enable color,
    vi ~front/.bashrc
    # uncomment the line start with "force_color_prompt",

    # exit user
    exit
* 
* add to group 'dev',
    sudo usermod -a -G dev front
* change owner of web dir,
    sudo chown -R dev:dev /var/www
* change permission of web dir,
    chmod 775 $(find /var/www/html -type d)
    chmod 664 $(find /var/www/html -type f)
* 
* re-login as 'front'
    to make group take effect,
* 
* test
* 
* ok
*