On Sun, Feb 03, 2002 at 11:29:07PM +0100, Manfred Wassmann wrote: > Norbert Veber <nveber@debian.org> writes: > > [...] > > > or that no file must be owned by [...] "www-data", > > No way. If apache runs as www-data and you are using things like > mod_dav (WebDAV), then apache must have full access to any html > documents an directories to be maintained via WebDAV. Ie they *must* > be owned by www-data. Thats pretty insecure especially if you allow users or virtual hosts to run cgi scripts without suexec. They could run cgi scripts that modify any www-data owned file. One would assume that webdav could also make use of an suexec-like mechanism to overcome this limitation (though I know nothing about dav). Be that as it may, I was talking in the context of debian packages. Ie. they shouldnt provide any files owned by www-data, what the administrator does after that is his problem :) Thanks, Norbert
Attachment:
pgp3vhWSJebT5.pgp
Description: PGP signature