On Tue, Jul 24, 2001 at 03:13:25PM -0400, Ken Januski wrote: > What I'm trying to find out is if root.root is a good idea? I assume it > is or it wouldn't be the default. It just seems odd to me to have to > become root in order to write either a html or cgi page.
You can setup the ownership of the webpages just like you like it. Read a book about unix permissions and ownership management and setup a nice scheme. It really depends mostly on your particular setup and needs. That is also one of the reasons debian sets no standards here, other than that the local admin sets the standard. Possible setups: root.root owned files, some user edits copies of the files in a local directory. When ready, the files are copied to the webroot by root. *.webwackers owned and group writable files, with all users who are supposed to be able to edit webcontent a member of that group. Put the sgid bit on the directories, if you like. This scheme can also be combined with the edit-a-copy scheme in the above. www-data.www-data owned files are evil, because then the webserver process can modify files. This is unwanted if the webserver process is somehow compromised and precisely the reason for the separate www-data userid, it is a dedicated "nobody" user. As all cgi scripts by default will also run as www-data, their output files are owned by www-data also, which is ugly for the above reasons, but hard to prevent. Because you can make virtual servers and scripts run under alternate userids of your own choice, your options are limited to your imagination. Cheers, Joost
