Proper permissions for /var/www

Question

I'm attempting to clone a private repo from Bitbucket to /var/www on a CentOS VPS.

I've generated an SSH key pair on the VPS, and uploaded the .pub file to Bitbucket as a (read-only) Deploy Key.

The keys are setup properly, because when I connect using:

ssh -T git@bitbucket.org

it works fine:

authenticated via deploy key.
You can use git or hg to connect to Bitbucket. Shell access is disabled.
This deploy key has read access to the following repositories: 
<username>/<repo_name>: <Deployment Key Nickname> -- <vps_username>@<vps_hostname>                                      
Connection to bitbucket.org closed.

So far, so good. But when I try to clone a repo into /var/www,I get:

fatal: could not create work tree dir '<repo_name>'.: Permission denied

When I sudo it, I get

Permission denied (publickey).

I found this note in the Bitbucket docs regarding said error:

You used sudo when attempting the connection You do not need to use sudo when cloning a repository or any other SSH action with Bitbucket.

It looks like I need to run with root permissions to create the tree, but if I do, it isn't using the SSH key correctly.

So, I chmod'd the /var/www directory so that my non-root user would have write privileges, and everything worked fine. But that directory is now 777 (drwxrwxrwx), which probably isn't good.

Is there a better way to handle this? I'd like to get /var/www back to 755, but I don't want to mess around with a temporary chmod every time I want to update my code...

Thanks in advance!

Answer 1

Make /var/www group-writable (chmod g+w /var/www) and change its group to a group that trusted users (including you) are a member of. If you don't want to open up all of /var/www then perhaps you can introduce an extra level, say /var/www/foo, that you open up.