Re: Config files which are writable by www-data
On Sat, Feb 09, 2008 at 10:09:13AM +0100, Roland Gruber wrote:
> The problem is that my application provides a set of default templates
> for user creation. These files must be editable via the application
> itself and therefore reside in /var/ldap-account-manager.
I most sincerely hope they do not.
> But the files are overwritten on every package installation because they
> are not treated as config files in Debian's sense.
Well, don't do that, then. Ship the template files somewhere else, and then
copy them into /var if they're not already there.
> Now I think about moving the files to /etc. But Debian policy sais that
> files in /etc should be owned by root and writable only by the user.
> So what can I do? Would it be ok to assign these files to group www-data
> and allow the group write access? Or would it be better to own them by
> www-data and not root?
There are already some files in /etc that are writable by www-data, so
that's a possibility too. It comes down to direct admin editability -- is
it expected that sysadmins may want to futz around with these template files
using a text editor, or is the only sensible way of dealing with these files
through the application? If the former, /etc. If the latter, /var.