Correct Permissions for WWW Data

I keep coming back to perfect web-based permissions, I've done it a few ways. This post isn't as complex as it is a little long, I wanted to provide some samples.

I've searched far and wide but I am wondering if there is a de-facto standard. Thank you for your time.

Q: Can anyone please advise me the best approach according to the basic Permission Goals below?

• Permission Goal:
  • Prevent 0777 mode
  • Default group www-data is sticky
  • Default user as myself is stick (If possible, I don't think a default exists in setfacl)
• Cliff Notes
  • Using: Ubuntu 16.04 and 16.10 (Desktop Versions at the Moment)

$ chmod g+rws

I have set this prior, I do wonder why this highlights my file an orange color, it concerns me. The goal was to keep current and new files as www-data.

sudo chgrp -R www-data /var/www
sudo chmod -R g+rws /var/www  # <-- s or S?

The above works for the most part but I have read it's bad to use, why? So I tried setfacl.

$ setfacl

Here I setfacl, the problem is that it will make all current files +x for the user, I don't want that.

# For Current Files | User/Group
sudo setfacl -Rm u:myself:rwx /var/www
sudo setfacl -Rm g:ww-data:rwx /var/www

# For Future Files | User/Group
sudo setfacl -Rmd u:myself:rwx /var/www
sudo setfacl -Rm g:www-data:rwx /var/www

.bashrc setfacl files/dirs separately

So a crazy idea I had was to make a .bashrc function It's not fully correct yet, but you get the idea.

function facl_file() {
    echo "(+) Set ACL for $USER:www-data rw [Files Only, Persist]"

    # Files cannot have defaults -d permissions
    while IFS= read -r -d $'\0' file; do
        echo "  Setting $file"
        # Default Mode: RW
        mode="rw"

        # If Executable, Add RWX
        if [[ -x "$file" ]]; then
            mode="rwx"
        fi
        sudo setfacl  -m u:$USER:$mode $file
        sudo setfacl  -m g:www-data:$mode $file
    done < <(find $CREATE -type f -print0)
    echo "(+) Done with Files"
}

function facl_dir() {
    echo "(+) Set ACL for $USER:www-data rwx [Directories Only, Persist]"
    while IFS= read -r -d $'\0' dir; do
        echo "  Setting $dir"
        sudo setfacl  -m u:$USER:rwx $dir
        sudo setfacl -dm u:$USER:rwx $dir
        sudo setfacl  -m g:www-data:rwx $dir
        sudo setfacl -dm g:www-data:rwx $dir
    done < <(find $CREATE -type d -print0)
    echo "(+) Done with Directories"
}

The goal of the above was to prevent Directories from losing the +x, and prevent files that were not +x from becoming it.

---

Any advice would be appreciated if I am going the wrong way about this. I can't seem to find a good "Sticky Standard" that feels right.