On Wed, 7 Jun 2000, Will Trillich wrote:
> On Fri, Jun 02, 2000 at 01:08:04AM -0800, Ethan Benson wrote: > > On Fri, Jun 02, 2000 at 01:52:10PM +0900, Olaf Meeuwissen wrote: > > > Just a quick question: how (un)safe is it to create your own files and > > > directories below /var/www/? Are there any names taken (besides dwww > > > and index.html)? > > > > /var/www should belong to you, i don't think any debian package will > > clobber anything in there, if they do its a bug. /var/www is set as > > the document root for apache so its obviously natural for your site to > > go there and be organized how you see fit. the index.html file should > > be replaced by your own. > > > > just make sure its not owned by www-data.www-data! > > what's the flaw in that? it's MORE secure to have files owned by root?? > i don't grok that just yet, sensei... > The problem with it is that ANYBODY whois being able to put up a script that runs as www-data will be able remove your /var/www. This includes anything ran from an apache module or a cgi and not run via suexec. Eg. php3 scripts, cgi-scripts, servlets, jsp files, and so on, which all by default run as www-data. And suexec is disabled by default. Only this "small" flaw... And there is no problem with files owned by root, as long as they are not suid-root, or not executable at all. Regards, Robert
