Permission change after setup:upgrade

See my answer to this question.

The problem here is that newly generated files are owned by the user and group who issues the command $USER:$USER, where they should belong to $USER:www-data or $USER:apache. Because apache2 does not have access to the group $USER, the website cannot be properly served.

In order to retain proper permissions, magento commands should be executed as the apache user.

For example:

Ubuntu

$ sudo -u www-data php bin/magento setup:upgrade

CentOS

$ sudo -u apache php bin/magento setup:upgrade

This way, new files are owned by www-data:www-data (in the case of ubuntu).

So long as you have properly followed Magento's documentation with regards to permissions and added the cli user to the apache2 group, then you will have proper access to the files.

If you did not follow this documentation then you can execute the following command to do so:

Ubuntu

$ sudo usermod -a -G www-data $USER

CentOS

$ sudo usermod -a -G apache $USER

Note:

In order that commands can be executed without declaring the apache2 user, Daniel's answer explains that we can modify how the Magento framework sets permissions for new files.