Raffaele Morelli wrote:
> Lukasz Szybalski wrote:
> > Thanks for the feedback. I did check with other production sites I run,
> > and most of them are owned by root. I have to test to see "if you want to
> > use the "wordpress" to upload a theme using the site UI", I think you might
> > be forced to have the www-data own and being able to write to theme folder.
> > If you don't you would have to sftp the theme there and unzip it manually.
>No. Files owned by root and served by Apache are not dangerous.
> root should not own files served by apache for any reason, that's really
> "dangerous"!
What is dangerous are files owned by the Apache process user www-data,
writable by www-data, and then potentially written using an attack
against the web server code base. But some projects require that just
the same regardless of the danger.
You should always do this. :-)
> you should never do that...
There is no problem whatsoever with files being owned by root. This
is done all of the time. It is okay. This is the default for files
installed by Debian packages for example.
If you truly believe that files owned by root are a problem then
please start filing bug reports because there are a lot of packages
with files owned by root.