User Permissions for www Directory

I’m running some static sites on my homelab raspberry pi using Lighttpd for the webserver.
I’m wondering what is the best practice for user permissions, I can’t find super clear guidance on how to handle users, groups and permissions in the /var/www/html directories.

After installing Lighttpd in RaspberryOS, all those folders were “root:root” including /var/www and /var/www/html. I decided that I would run my static sites in sub directories under /var/www/html as an example I’m serving a site created with Docsify under /var/www/html/docs.

I would like to be able to update /var/www/html/docs by running a simple rsync script that copies the Markdown files and the updated index.html file from my workstation to the Raspberry Pi. So I have made /var/www/html/docs user and group the main Pi user and group. I don’t think this opens up security issues, but I’m wondering if this is the best practice or if there are better ways to handles this.

I haven’t personally run that particular webserver, but you can find out what user that service runs under by checking the process list with the ps command. The files in /var/www/html need to at least be readable by the user the webserver is running as.

What you could do, is create a maintenance group for your server, and give that group ownership of the files and directories under /var/www/html. You would also have to make sure the user that the webserver runs as is in that group too. Then whatever user your maintenance scripts run as, give that user access to that same group. Then, the relevant users should have the access they need to do what they do.

Let me know if that doesn’t make sense.

I think this makes sense, but I’m a little lost in the application, perhaps because I’m still learning users and permissions (by the way great video on this that came out last week).

Currently here is the set up:
Raspberry Pi with just one user created to replace the default user “pi”, let’s call the user “cake”

/var/www/html has the file permissions of: drwxr-xr-x 3 root root

The two things in that directory are:

drwxr-xr-x 2 cake cake 4096 Apr  4 11:32 docs
-rw-r--r-- 1 root root 3388 Mar 28 16:50 index.lighttpd.html

The user listed by ps who is running lighttpd:

www-data   397  0.0  1.0   8664  4480 ?        Ss   Apr08   0:59 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

When I installed Lighttpd I’m guessing that the install created the www-data user and group. So I want to be able to update the static html files in /var/www/html/docs with user cake since this is the user that has sudo and ssh login credentials. So Instead of having /var/www/html/docs owned by cake:cake would it be better for it to be owned by www-data:www-data and then add cake to the www-data group?

Is that what you meant by having a “maintenance group” for the server?

I think you got it. Add the user cake to the www-data group, make sure all files and directories in /var/www/html are owned by www-data:cake, and that group has read and write permissions on each file, and read, write and execute on each folder.