Re: OT?:Proper owner of html files in Apache
Thanks Joost,
The *.webwhackers scenario sounds like the best idea. I've never been
that clear on sgid but your response forced me to read the manual :) on
it and then put it to use.
Ken
Joost Kooij wrote:
>
> On Tue, Jul 24, 2001 at 03:13:25PM -0400, Ken Januski wrote:
> > What I'm trying to find out is if root.root is a good idea? I assume it
> > is or it wouldn't be the default. It just seems odd to me to have to
> > become root in order to write either a html or cgi page.
>
> You can setup the ownership of the webpages just like you like it.
> Read a book about unix permissions and ownership management and
> setup a nice scheme. It really depends mostly on your particular
> setup and needs. That is also one of the reasons debian sets no
> standards here, other than that the local admin sets the standard.
>
> Possible setups:
>
> root.root owned files, some user edits copies of the files in a local
> directory. When ready, the files are copied to the webroot by root.
>
> *.webwackers owned and group writable files, with all users who are
> supposed to be able to edit webcontent a member of that group. Put the
> sgid bit on the directories, if you like. This scheme can also be
> combined with the edit-a-copy scheme in the above.
>
> www-data.www-data owned files are evil, because then the webserver process
> can modify files. This is unwanted if the webserver process is somehow
> compromised and precisely the reason for the separate www-data userid,
> it is a dedicated "nobody" user. As all cgi scripts by default will
> also run as www-data, their output files are owned by www-data also,
> which is ugly for the above reasons, but hard to prevent.
>
> Because you can make virtual servers and scripts run under alternate
> userids of your own choice, your options are limited to your imagination.
>
> Cheers,
>
> Joost
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: