[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

applications, users, groups, permissions


I have been playing with apache on my debian server and have a few
questions about how applications (apache in this case) have access
permission to files. I am assured by the people on #apache that this
is a vanilla *nix question and not an apache question. I hope this is
a good place to ask because I'd really like to know the answers.

In my apache2.conf file I have the user and group directives which are
fairly self explanatory.

User www-data
Group www-data

When apache tries to serve a file it must have permission to access
that file. Apache will have permission because either the "www-data"
user has permission to access that file or group "www-data" has
permission. How does the permission checking occur? When the apache
process starts does it tell the os it's user and group and then the os
knows when apache tries to access a file? Or when apache tries to
access a file the os asks apache for it's user and group? Or when
apache tries to access a file it also tells the os it's user and

Why is it I can set the group to one that the user does not belong?
Shouldn't there be an error when an application is identifying itself
as a user and group that don't go together? Or when accessing a file
the os simply checks in sequence the user permission and then the
group permission if necessary and no process ever checks if apache's
user and group go together?

I can also comment out the group directive altogether. The default
value of the group directive in apache is "#-1". There is no group
with id -1 on my computer. How can I determine which group apache is
running in? An application must be running in a particular group,
doesn't it? If I also comment out the User directive apache even
cannot start because user with id 4294967295 (ie 2^32-1) does not
exist. This makes me think group with id 4294967295 doesn't exist
also. So an application must be running as a user but not necessarily
as a group?

I can understand how the #apache people say these are generic
application file access permission questions. I hope someone can shed
some light on how this works.

Thank you,

Reply to: