[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#270593: apache2: /var/wwww should be owned by www-data, not root

Package: apache2
Version: 2.0.50-12
Severity: grave
Justification: user security hole

I'm not sure which process is responsible of creating /var/www, but
I'm resuming that apache2, whcih is the only web server installed
in this system.

The permissions look like this now:

    host:~# ls -la /var/www
    drwxr-xr-x   3 root root 4096 Sep  6 23:53 .

But wouldn't it bemore secure to to use:

    chown -R www-data.www-data /var/www

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-386
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to en_US)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.50-12  Traditional model for Apache2

-- no debconf information

Reply to: