- Date: Sun, 28 Oct 2018 19:57:08 -0400
- From: Gene Heskett <gheskett@xxxxxxxxxxx>
- Subject: Re: www-data
On Sunday 28 October 2018 18:42:41 mick crane wrote:
> On 2018-10-28 21:38, Ben Caradoc-Davies wrote:
> > On 29/10/2018 10:26, Carl Fink wrote:
> >> On 10/28/2018 05:16 PM, mick crane wrote:
> >>> what's the deal with www-data ?
> >>> I never made that user
> >>> I dunno if it has a password or what ?
> >>> these are things that some setup / install makes ?
> >> It's created by the Apache installer. Check the Apache docs.
> > And it should have no password. This user is accessed by switching
> > to it from root. As a security measure, after binding to privileged
> > network ports as root, apache switches to user www-data so that, if
> > it is compromised, the damage is limited. Processes that have
> > dropped root privileges cannot automatically regain them. Postgres
> > and Tomcat do the same thing with their own dedicated users.
> I'm asking because somebody is saying that webmail server files should
> be owned by root but I don't know about that, if somebody as got so
> far to be www-data they might as well be root ?
I don't think thats how it works. UID/GID as www-data is just part of the
sandbox apache2 and its ilk play in. In fact after I've equipt apach2
with some new toy, the last thing I do as root is a chown -R
www-data:www-data any directory apache2 can access in going about its
Thats how IUI, and no one accessing my web page (its on this machine)
has jumped the sandbox fence in around 15 years now.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>