Re: www-data
On 29/10/2018 11:42, mick crane wrote:
I'm asking because somebody is saying that webmail server files should
be owned by root but I don't know about that, if somebody as got so far
to be www-data they might as well be root ?
Web server configuration files are typically owned by root and not
writeable by other users. Files containing secrets such a private keys
may only be readable by root. When a server is started as root, it reads
its configuration files and secrets, then drops privileges by changing
user. During normal operation as an unprivileged user, the server cannot
edit its own configuration files or write where access has not been
granted to www-data. This provides a substantial level of protection
that is absent in a server running as root. Apache can also be used as a
proxy for other services such as Tomcat, providing an additional layer
of protection.
The specific case of webmail likely requires read-write access to user
mailboxes. I do not know how privilege separation is handled in this case.
Kind regards,
--
Ben Caradoc-Davies <ben@transient.nz>
Director
Transient Software Limited <https://transient.nz/>
New Zealand
Reply to: