why are files/directories owned by www-data !?

To: debian-devel@lists.debian.org
Subject: why are files/directories owned by www-data !?
From: Ethan Benson <erbenson@alaska.net>
Date: Sun, 23 Jan 2000 03:53:32 +0000
Message-id: <v04220805b4b0290290c6@[192.168.0.1]>

Hi,

I have noticed that /var www and /var/lib/dhelp are owned bywww-data.www-data, why?

also all the httpd logs are owned by www-data and are world readable.they should be root.adm and 640 at a most IMO. on my old redhat boxthey were root.root 600.


[eb@plato eb]$ grep www-data /etc/apache/httpd.conf
User www-data
Group www-data
[eb@plato eb]$

since the web server is running as www-data if anyone breaks into itthus gaining www-data privileges they will be able to modify the website if stored in /var/www, they can write to /var/lib/dhelp and canalter the logs to hide their attack!

If I recall correctly you are never supposed to have any files ownedby the web server.

and it seems that /var/dhelp gets chowned back to www-data every timeits upgraded...


what is the deal here?  am i missing something?

--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Reply to:

Follow-Ups:
- Re: why are files/directories owned by www-data !?
  - From: Brian May <bam@debian.org>

Prev by Date: Re: bug list by submitter
Next by Date: Re: To the bind maintainer
Previous by thread: Re: bug list by submitter
Next by thread: Re: why are files/directories owned by www-data !?
Index(es):
- Date
- Thread