On 12/24/2013 02:57 AM Raffaele Morelli wrote:
Read apache webserver documentation.
This is a good idea in general, but a more specific reference would actually be practical.
There is no problem whatsoever with files being owned by root. This
is done all of the time. It is okay. This is the default for files
installed by Debian packages for example.
If you truly believe that files owned by root are a problem then
please start filing bug reports because there are a lot of packages
with files owned by root.
You are quite wrong here, "debian packages" (what are you referring to?)
are not php script supposed to go online and be exposed to the world.
Keep in mind that if a php script is owned by root user and there's a
security hole in it, an attacker can easily access every block of your
file system.
There seems to be some conflation here involving the ownership of the file and the ownership of process when these are actually quite distinct. For example, /bin/rm is owned by root. But the mere execution of it by a regular user doesn't give that regular user root privileges. Conversely if a regular user owns an executable file and this file is executed by root, that process is not then owned by that regular user. In short, the ownership of the file does not determine the ownership of the process invoked by that file.
Web pages are supposed to run with the same privileges and (limited) shell as the user who runs the webserver.
This part is true and is why public-facing webserver *processes* are not invoked by root (though not too long ago they used to be).
Please, don't you spread confusion and read about security stuff.
Good conversation. It seems we need more of this kind of thing.