On Sun 28 Oct 2018 at 19:57:08 (-0400), Gene Heskett wrote:
> On Sunday 28 October 2018 18:42:41 mick crane wrote:
> > On 2018-10-28 21:38, Ben Caradoc-Davies wrote:
> > > On 29/10/2018 10:26, Carl Fink wrote:
> > >> On 10/28/2018 05:16 PM, mick crane wrote:
> > >>> what's the deal with www-data ?
> > >>> I never made that user
> > >>> I dunno if it has a password or what ?
> > >>> these are things that some setup / install makes ?
If you are merely alarmed, perhaps read
where you'll see that user/group 33 is reserved for this user.
> > >> It's created by the Apache installer. Check the Apache docs.
… but bear in mind that you don't have to install apache for
that user/group to be created on your system.
> > > And it should have no password. This user is accessed by switching
> > > to it from root. As a security measure, after binding to privileged
> > > network ports as root, apache switches to user www-data so that, if
> > > it is compromised, the damage is limited. Processes that have
> > > dropped root privileges cannot automatically regain them. Postgres
> > > and Tomcat do the same thing with their own dedicated users.
> > I'm asking because somebody is saying that webmail server files should
> > be owned by root but I don't know about that, if somebody as got so
> > far to be www-data they might as well be root ?
Then you probably need to read the docs carefully, rather than taking
any notice of what's written below, which contradicts anything I've
read on this subject.
> I don't think thats how it works. UID/GID as www-data is just part of the
> sandbox apache2 and its ilk play in. In fact after I've equipt apach2
> with some new toy, the last thing I do as root is a chown -R
> www-data:www-data any directory apache2 can access in going about its
> normal business.
> Thats how IUI, and no one accessing my web page (its on this machine)
> has jumped the sandbox fence in around 15 years now.
Why would they bother.