On Tue, Aug 07, 2001 at 12:13:40PM -0400, Joey Hess wrote: > > > www-data: > > > > > > HELP: Er, I should know this, but this box doesn't run apache and > > > I'm offline. > > > > Used by apache as the user/group, typically is the user/group that > > owns web content. > > Apache runs as user/group www-data, so I think you *don't* want www-data > to own web content, or yout apache server could mess with it if > compromised. > > So why does apache use www-data instead of say, nobody? Ah, I'll bet > it's so that any data apache writes out, like log files, are owned by a > non-nobody user. Yes, that's it. Er, apache's logfiles are created as root since the master apache process runs as root. Children are spawned running as www-data:www-data, therefore no files should be owned by www-data:www-data unless you really want the webserver to be able to write to those files (some people do this with counters, guestbooks, etc. ... you have to be cautious though). Older debian installs set the apache logfiles to www-data:www-data ... this is wrong! www-data has no reason to write to the server logfiles. [hmm, I notice the machine I'm sending this email from has apache logfile ownership fubared. Damn, perhaps newer installs still have this problem. Ah, /etc/cron.d/apache was changing the ownership.] -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:nnorman@micromuse.com | -- Patton
Attachment:
pgpJn_GH0CvdQ.pgp
Description: PGP signature