[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exploring debian's users and groups

On Tue, Aug 07, 2001 at 12:13:40PM -0400, Joey Hess wrote:
> > > www-data:
> > > 
> > > 	HELP: Er, I should know this, but this box doesn't run apache and
> > > 	      I'm offline.
> > 
> > Used by apache as the user/group, typically is the user/group that
> > owns web content.
> Apache runs as user/group www-data, so I think you *don't* want www-data
> to own web content, or yout apache server could mess with it if
> compromised.
> So why does apache use www-data instead of say, nobody? Ah, I'll bet
> it's so that any data apache writes out, like log files, are owned by a
> non-nobody user. Yes, that's it.

Er, apache's logfiles are created as root since the master apache
process runs as root.  Children are spawned running as
www-data:www-data, therefore no files should be owned by
www-data:www-data unless you really want the webserver to be able to
write to those files (some people do this with counters, guestbooks,
etc. ... you have to be cautious though).

Older debian installs set the apache logfiles to www-data:www-data ...
this is wrong!  www-data has no reason to write to the server
logfiles. [hmm, I notice the machine I'm sending this email from has
apache logfile ownership fubared.  Damn, perhaps newer installs still
have this problem. Ah, /etc/cron.d/apache was changing the ownership.]

Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Ltd.                 | than a perfect plan tomorrow.
mailto:nnorman@micromuse.com   |   -- Patton

Attachment: pgpMSERhuzCTQ.pgp
Description: PGP signature

Reply to: