Web lists-archives.com

Re: www-data




On 29/10/2018 11:42, mick crane wrote:
I'm asking because somebody is saying that webmail server files should be owned by root but I don't know about that, if somebody as got so far to be www-data they might as well be root ?

Web server configuration files are typically owned by root and not writeable by other users. Files containing secrets such a private keys may only be readable by root. When a server is started as root, it reads its configuration files and secrets, then drops privileges by changing user. During normal operation as an unprivileged user, the server cannot edit its own configuration files or write where access has not been granted to www-data. This provides a substantial level of protection that is absent in a server running as root. Apache can also be used as a proxy for other services such as Tomcat, providing an additional layer of protection.

The specific case of webmail likely requires read-write access to user mailboxes. I do not know how privilege separation is handled in this case.

Kind regards,

--
Ben Caradoc-Davies <ben@xxxxxxxxxxxx>
Director
Transient Software Limited <https://transient.nz/>
New Zealand