Raffaele Morelli wrote: > Lukasz Szybalski wrote: > > Thanks for the feedback. I did check with other production sites I run, > > and most of them are owned by root. I have to test to see "if you want to > > use the "wordpress" to upload a theme using the site UI", I think you might > > be forced to have the www-data own and being able to write to theme folder. > > If you don't you would have to sftp the theme there and unzip it manually. > > root should not own files served by apache for any reason, that's really > "dangerous"! No. Files owned by root and served by Apache are not dangerous. What is dangerous are files owned by the Apache process user www-data, writable by www-data, and then potentially written using an attack against the web server code base. But some projects require that just the same regardless of the danger. > you should never do that... You should always do this. :-) There is no problem whatsoever with files being owned by root. This is done all of the time. It is okay. This is the default for files installed by Debian packages for example. If you truly believe that files owned by root are a problem then please start filing bug reports because there are a lot of packages with files owned by root. Bob P.S. This is deja vu from just a few days ago. http://lists.debian.org/debian-user/2013/12/msg00221.html
Attachment:
signature.asc
Description: Digital signature