Re: Config files which are writable by www-data

[Matthew Palmer <mpalmer@debian.org>]

On Sat, Feb 09, 2008 at 10:09:13AM +0100, Roland Gruber wrote:
> The problem is that my application provides a set of default templates
> for user creation. These files must be editable via the application
> itself and therefore reside in /var/ldap-account-manager.

I most sincerely hope they do not.

> But the files are overwritten on every package installation because they
> are not treated as config files in Debian's sense.

Well, don't do that, then.  Ship the template files somewhere else, and then
copy them into /var if they're not already there.

> Now I think about moving the files to /etc. But Debian policy sais that
> files in /etc should be owned by root and writable only by the user.
> 
> So what can I do? Would it be ok to assign these files to group www-data
> and allow the group write access? Or would it be better to own them by
> www-data and not root?

There are already some files in /etc that are writable by www-data, so
that's a possibility too.  It comes down to direct admin editability -- is
it expected that sysadmins may want to futz around with these template files
using a text editor, or is the only sensible way of dealing with these files
through the application?  If the former, /etc.  If the latter, /var.

- Matt