Re: OT?:Proper owner of html files in Apache
On Tue, Jul 24, 2001 at 03:13:25PM -0400, Ken Januski wrote:
> What I'm trying to find out is if root.root is a good idea? I assume it
> is or it wouldn't be the default. It just seems odd to me to have to
> become root in order to write either a html or cgi page.
You can setup the ownership of the webpages just like you like it.
Read a book about unix permissions and ownership management and
setup a nice scheme. It really depends mostly on your particular
setup and needs. That is also one of the reasons debian sets no
standards here, other than that the local admin sets the standard.
Possible setups:
root.root owned files, some user edits copies of the files in a local
directory. When ready, the files are copied to the webroot by root.
*.webwackers owned and group writable files, with all users who are
supposed to be able to edit webcontent a member of that group. Put the
sgid bit on the directories, if you like. This scheme can also be
combined with the edit-a-copy scheme in the above.
www-data.www-data owned files are evil, because then the webserver process
can modify files. This is unwanted if the webserver process is somehow
compromised and precisely the reason for the separate www-data userid,
it is a dedicated "nobody" user. As all cgi scripts by default will
also run as www-data, their output files are owned by www-data also,
which is ugly for the above reasons, but hard to prevent.
Because you can make virtual servers and scripts run under alternate
userids of your own choice, your options are limited to your imagination.
Cheers,
Joost
Reply to: