Re: exploring debian's users and groups
On Tue, 7 Aug 2001, Joey Hess wrote:
[...]
> > > www-data:
> > >
> > > HELP: Er, I should know this, but this box doesn't run apache and
> > > I'm offline.
> >
> > Used by apache as the user/group, typically is the user/group that
> > owns web content.
>
> Apache runs as user/group www-data, so I think you *don't* want www-data
> to own web content, or yout apache server could mess with it if
> compromised.
>
> So why does apache use www-data instead of say, nobody? Ah, I'll bet
> it's so that any data apache writes out, like log files, are owned by a
> non-nobody user. Yes, that's it.
No, it's not. If you use the HTTP protocol to update the contents of your
webservers like using WebDAV your web content _must_ be owned by the same
user apache runs as. And any files you upload will be created with the
servers group unless you change the group of your document root and all
directories below to something else and set the setgid bit on them.
As all current clients, whether Linux or M$, support TLS/SSL, and you can
use the standard apache access control mechanisms, I think this is more
secure than any other popular method used to administer web content.
Unless of course as the sysadmin you do it all by yourself.
--
Manfred Wassmann
PGP and GnuPG public keys available at http://germany.keyserver.net
PGP: 24B81049 Fingerprint: D7 10 EE 2B 74 16 C0 64 B4 5F BA B2 90 29 3D AF
GPG: 6B299971 Fingerprint: A598 A41F 57A3 5D69 83D2 8027 1274 F8CD 6B29 9971
* Q: Why is it so hard programming Micro$oft C?
* A: All functions are declared void.
* Q: Why that?
* A: Would you expect Micro$oft to return a value?
Reply to: