hi jérémy, On Sun, May 16, 2010 at 06:52:24PM +0200, Jérémy Lal wrote: > webapps-common draft states in 3.2.1 [0] that config files > modifiable by the application must belong to www-data group. > > Since now it's easy (with e.g. spawn-fcgi) to setup fastcgi > backends as a plain user, web apps don't have to be run as > www-data. > > Potential benefits : > - one application can't access sensible files of another > application running as www-data. > - provides an easy way to limit resource usage by > each web app, since it's bound to one user. > > Along these lines, i wonder if a common scheme for user naming > could be defined (something like www-data-mywebapp). i don't think i'm such a fan of creating a "namespace" for this case of users, since it's going to be inconsistant no matter what and typically ends up in bikeshed-color type arguments on -devel anyway (i.e. this is already the case with normal package-created users, so this would add yet another variable into the mix). but apart from that i think that it's definitely a good idea to update the document to discuss and/or encourage having seperate non-www-data users in this use case. patches welcome :) sean
Attachment:
signature.asc
Description: Digital signature