On Sun, Aug 12, 2001 at 11:19:59PM +0200, Marc Haber wrote: > > That would be a deviation from the Debian way, but it sounds sensible. the debian way is wrong then. /var/www USED to be owned by www-data, until someone, possibly me pointed out that those permissions were retarded, then it was fixed. unfortunatly the idiocy of chowning the log files to www-data.www-data mode 664 is still not fixed, despite the nearly year old critical bug against apache. (at least its easy for the admin to fix, one value to twiddle in /etc/apache/cron.conf). > >the site files are owned by whoever created them and are world > >readable (so the www-daemon user can read them). > > > >you might create a group html or something that has write permission > >to site directories/files, users allowed to make changes to the site > >would be a member of this group then, but the www-daemon user would > >NOT and should not be a member. > > The ftp daemon would then run as www-data? NO!! what are you smoking that gives you that idea?? annoymous ftp should run as a dedicated ftpd user with NO PRIVILEGES, and should own NO FILES. if you are irresponsible enough to allow lusers to login to thier accounts with ftp they will have the same privilieges and group memberships as a ssh login and thus would be able to modify the same files as in a ssh login. example: -rw-rw-r-- 1 john html 4094 Jan 25 2001 /var/www/index.html user john is the primary maintainer of the web site, group html has members john, jane, and jeramy, so they may also make changes to the front page. the anonymous ftp daemon does NOT run with group html privileges, if john, jane or jeramy login to thier account through ftp then the ftpd runs as them, with thier group memberships, just as sshd does. www-data.www-data is what the web server runs as, the www-data user is not a member of ANY groups other then www-data. www-data user or group should own NO FILES. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpyus5CPxNO9.pgp
Description: PGP signature