2013/12/24 Bob Proulx <b...@proulx.com> > Raffaele Morelli wrote: > > Lukasz Szybalski wrote: > > > Thanks for the feedback. I did check with other production sites I run, > > > and most of them are owned by root. I have to test to see "if you want > to > > > use the "wordpress" to upload a theme using the site UI", I think you > might > > > be forced to have the www-data own and being able to write to theme > folder. > > > If you don't you would have to sftp the theme there and unzip it > manually. > > > > root should not own files served by apache for any reason, that's really > > "dangerous"! > > No. Files owned by root and served by Apache are not dangerous. > > What is dangerous are files owned by the Apache process user www-data, > writable by www-data, and then potentially written using an attack > against the web server code base. But some projects require that just > the same regardless of the danger. > > > you should never do that... > > You should always do this. :-) >
Read apache webserver documentation. > There is no problem whatsoever with files being owned by root. This > is done all of the time. It is okay. This is the default for files > installed by Debian packages for example. > > If you truly believe that files owned by root are a problem then > please start filing bug reports because there are a lot of packages > with files owned by root. > You are quite wrong here, "debian packages" (what are you referring to?) are not php script supposed to go online and be exposed to the world. Keep in mind that if a php script is owned by root user and there's a security hole in it, an attacker can easily access every block of your file system. Web pages are supposed to run with the same privileges and (limited) shell as the user who runs the webserver. Please, don't you spread confusion and read about security stuff. /r
