Re: why are files/directories owned by www-data !?
>>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:
Ethan> Hi, I have noticed that /var www and /var/lib/dhelp are
Ethan> owned by www-data.www-data, why?
I don't know about /var/lib/dhelp - that seems broken to me.
Ethan> also all the httpd logs are owned by www-data and are world
Ethan> readable. they should be root.adm and 640 at a most IMO.
Ethan> on my old redhat box they were root.root 600.
I think you have to trust the webserver not to currupt its
own log files...
Ethan> [eb@plato eb]$ grep www-data /etc/apache/httpd.conf User
Ethan> www-data Group www-data [eb@plato eb]$
On slink, these files are owned by root:root and have 644 permission.
I don't see why www-data should own them either.
Ethan> since the web server is running as www-data if anyone
Ethan> breaks into it thus gaining www-data privileges they will
Ethan> be able to modify the web site if stored in /var/www, they
This is where it becomes interesting, and while I disagree with
why it is done that way, I can tell you why it was done that way ;-).
There are 4 conflicting requirements:
1. the web server MUST be able to read stuff stored in /var/www
2. the web server shouldnt have write access to /var/www/*
3. certain data under /var/www might be password protected, and not
open to public.
4. users shouldn't have to log in as root or www-data in order to
change web pages.
However, Linux currently only allows one group per file, so
achieving all of these goals at once is impossible. I think the
apache maintainer has given priority to 1, 3, and 4 over 2.
Personally, I would give 2 higher priority then 3, but that is
just my opinion.
Ideally, to fix this, you need two groups, eg:
www-server - readonly access to /var/www/*
www-data - read/write access to /var/www/*
Perhaps this will be possible with Ext3 or something.
Ethan> and it seems that /var/dhelp gets chowned back to www-data
Ethan> every time its upgraded...
I don't understand this bit - perhaps it is a bug in dhelp? AFAIK,
dhelp never is run as www-data...
--
Brian May <bam@debian.org>
Reply to: