Re: why are files/directories owned by www-data !?

To: debian-devel@lists.debian.org
Subject: Re: why are files/directories owned by www-data !?
From: Brian May <bam@debian.org>
Date: 26 Jan 2000 10:46:57 +1100
Message-id: <[🔎] 84u2k13ea6.fsf@snoopy.apana.org.au>
In-reply-to: erbenson@alaska.net's message of "23 Jan 00 03:53:32 GMT"
References: <v04220805b4b0290290c6@[192.168.0.1]>

>>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:

    Ethan> Hi, I have noticed that /var www and /var/lib/dhelp are
    Ethan> owned by www-data.www-data, why?

I don't know about /var/lib/dhelp - that seems broken to me.

    Ethan> also all the httpd logs are owned by www-data and are world
    Ethan> readable.  they should be root.adm and 640 at a most IMO.
    Ethan> on my old redhat box they were root.root 600.

I think you have to trust the webserver not to currupt its
own log files...

    Ethan> [eb@plato eb]$ grep www-data /etc/apache/httpd.conf User
    Ethan> www-data Group www-data [eb@plato eb]$

On slink, these files are owned by root:root and have 644 permission.
I don't see why www-data should own them either.

    Ethan> since the web server is running as www-data if anyone
    Ethan> breaks into it thus gaining www-data privileges they will
    Ethan> be able to modify the web site if stored in /var/www, they

This is where it becomes interesting, and while I disagree with
why it is done that way, I can tell you why it was done that way ;-).

There are 4 conflicting requirements:

1. the web server MUST be able to read stuff stored in /var/www

2. the web server shouldnt have write access to /var/www/*

3. certain data under /var/www might be password protected, and not
open to public.

4. users shouldn't have to log in as root or www-data in order to
change web pages.

However, Linux currently only allows one group per file, so
achieving all of these goals at once is impossible. I think the
apache maintainer has given priority to 1, 3, and 4 over 2.

Personally, I would give 2 higher priority then 3, but that is
just my opinion.

Ideally, to fix this, you need two groups, eg:
www-server - readonly access to /var/www/*
www-data   - read/write access to /var/www/*

Perhaps this will be possible with Ext3 or something.

    Ethan> and it seems that /var/dhelp gets chowned back to www-data
    Ethan> every time its upgraded...

I don't understand this bit - perhaps it is a bug in dhelp? AFAIK,
dhelp never is run as www-data...

-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: why are files/directories owned by www-data !?
  - From: Ethan Benson <erbenson@alaska.net>
- Re: why are files/directories owned by www-data !?
  - From: Jim Lynch <jim@laney.edu>

References:
- why are files/directories owned by www-data !?
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Re: display managers
Next by Date: Re: annoying updating alternatives messages
Previous by thread: why are files/directories owned by www-data !?
Next by thread: Re: why are files/directories owned by www-data !?
Index(es):
- Date
- Thread