Magento 2 has a nasty habit of resetting file permissions to match whatever is the correct setting on the system they run in development. To make matters worse, new files and directories will be created with their lame ass defaults, so changing permissions is the equivalent of whack a mole.
Use ACL's instead.
XXXXXbelow to be edited with ACL infoXXX
and write to them and no one else can access them
- Set the permissions on all directories so that the owner can read, write, and SEARCH them and no one else can access them
- For all files, allow users in the same group to read them
- For all files, allow everyone else to read them
- For all directories, allow users in the same group to read and search them
- For all directories, allow everyone else to read and search them
- For the var directory and all subdirectories, give users in the same group read, write, and search access
- For all directories in pub/media give users in the same group read, write, and search access
- For all directories in pub/static give all users read access and search access
X for directories is what allows a user to run commands such as:
cd pub/media and ls pub/media
Using the identifier+perms syntax [g+rwx] allows us to be additive rather then destructive. IE chmod 770 will set the permissions for everyone/world/other to 0 or none. If there was some directory where this was incorrect you just broke something. By being additive, you avoid this issue. In general you should almost never have to run the first 2 commands, just start at 3 and work down.