2013/12/31 Jerry Stuckle <jstuckle@attglobal.net
<mailto:jstuckle@attglobal.net>>
BTW - your quoting style is not consistent, making it difficult to
see which are your comments and which are in the post you are
replying to.
Jerry
I broke quoting somewhere in the thread, BTW here is my main points.
1. one should not be using root ownership for websites to solve
permissions problems in website document root. On servers where there
are N web developers this is absolutely the wrong way to go (you can't
go IMO).
root should only be used for system administration.
security it's not a matter of doing everything as root but in using
right permissions and user/group rules.
2. www-data user should have r-x group permissions and unprivileged
users (eg developer account) should have rwx (or rw-) permissions and
ownership.
www-data ownership it's safe without write permission.
I just want to add a (relevant) bit.
Apache has tons of directives to secure a website and if you really need
to upload in a dir you can tell apache to not execute php scripts in
there or force file type to text or prevent POST request from untrusted
ip, etc etc.... and you'are done.
/r